Life is too short to do something that no one wants. This article has been https://www.yourbatman.cn included, along with all the inside have Spring technology stack, MyBatis, middleware, such as the JVM, small and beautiful column study for free. Pay attention to the public number [BAT utopia] one by one to break, in-depth grasp,

preface

Hello everyone, I’m Brother A. Back after a month-long hiatus, today we’re talking about an interesting topic: Do we really need to say goodbye to Fastjson?

My attitude

I’ve written several articles about JSON at CSDN, notably a paid column in 2020:Enjoy learning Jackson This column “sales” in my mind is also ok, 4 months “sold” 200 copies of the appearance (although not worth mentioning, but I am very satisfied with 😄), a small JSON library, heat can be seen. The column inevitably mentions Jackson vs. Fastjson, and I’ve been on the fence for two main reasons:

  1. Both are very popular (Fastjson is even more popular than Jackson in China), so I use both in my development.
  2. Indigenous open source software needs to be supported, even if there is still a gap (think of the gap between the original indigenous phones and iphones, and look now?).

Of course, this article is different and must be seasoned. Being neutral does not mean there is no bias: clearly I prefer to use Jackson as yourThe onlyJSON libraries.

From now on, I will transfer all the content of the paid column in CSDN to the public account, to help you easily embrace the world’s best JSON library: Jackson. From now on, I will transfer all the content of the paid column in CSDN to the public account, to help you easily embrace the world’s best JSON library: Jackson. From now on, I will transfer all the content of the paid column in CSDN to the public account, to help you easily embrace the world’s best JSON library: Jackson.

There are no tutorials on the market (none on the website), but this is the only one. Of course, this will certainly damage my CSDN column selling rights and interests (small money is money 😄), so I hope you pay attention to the public number, pay attention to this column, and then learn to hand I feel the value

Ali Cloud emergency Response Center has detected the outbreak of a new deserialization remote code execution vulnerability in Fastjson. Hackers can use the vulnerability to bypass the autoType limit and directly remotely execute arbitrary commands to attack the server.risky(Voice: This bug must be fixed). Fortunately, the official response was swift:Remember Fastjson last timeHigh-level riskWhen was the security breach? Yes, it happened in 2019-09-04, the two times are really not far from each other. I still remember the dissatisfaction you said, and the email sent by our security department can also be found at 😄.

Of course, there have been some bug issues before, but not as much as these two. The main reason is that the two times are similar, and the danger level is very high and influential, so the community reaction is relatively strong

These two “adjacent” security vulnerabilities really put Fastjson in the center of the storm, and the public was in a wave, for a while“Ditch Fastjson and embrace Jackson/Gson”The sound of the incessant. It’s easy to understand, since you don’t want to get emails like this from your company’s security department every now and then:To Fix this vulnerability, though, the steps are simple: upgrade the Fastjson version and restart the application. It looks effortless, but it’s a big hole. Have you ever wondered: What if there were hundreds or hundreds of Java applications? Never mind the time and labor costs of your operation, justmanagementThe workload should not be underestimated. Therefore, if you are the technical Leader, it is reasonable to release the anger in your chest.

I believe that very few departments/teams make Spring Boot applications in the form of Jar package separation. Therefore, most of them need to go through the steps of upgrade -> submit code -> merge code -> pre -> online -> verification, so it is quite troublesome

Why are you using Fastjson?

This is a question you can ask yourself and your colleagues. A summary of the answer is the most authentic voice from users. I did a brief “research” on this, and what I heard and learned is summarized as follows:

  1. API simple (static method directly used), fast, friendly to developers
  2. Alibaba produced, backed by the big factory is trustworthy.
  3. The community is relatively active, and the maintenance and upgrading are guaranteed

Let me guess, the probability of these 3 reasons hit your mind 😄? Have big factory to do endorsement naturally can give product extra points, but their own excellent is the hard truth. There are three reasons, but I think the single most important reason why so many people decide to use it and like it is the simplicity of the API and the developer-friendly nature of direct calls to static methods.

I have a feeling that for most Java coders (especially beginners), there is a scenario where static methods are harder than instance methods. This should not be the case. Beginners (beginners/intermediates) love static methods, while masters should be comfortable with static + instance methods when designing a library/framework. Too much of a static approach tends to tilt your mind toward the process rather than taking advantage of Java’s object-oriented features.

There is no one is superior or inferior, but the one that fits is the best

See, we never mentioned performance/speed as the reason for using Fastjson, but this is one of the core features of Fastjson, and it’s what makes it stand out from the rest of the JSON libraries. Isn’t it strange that we use itnotBecause its core features are so good, why?

Why are you still using Fastjson?

There are 5,678 reasons, but all in all, there’s probably only one reason you won’t switch: Fastjson static method calls are a hassle; Most importantly, I am not familiar with other JSON libraries (such as Jackson/Gson) and dare not switch.

I thinkFear comes from the unknown There’s no denying that Jackson/Gson has a higher threshold than Fastjson, but that’s not a reason to refuse to use it. With the Fastjson bug twice in A row, Jackson was even more convincedThe onlyJSON library determination, even within the teamFastjson is strictly prohibited. Everyone unified language/tools, more productivity ~

If you’re also afraid to leave the greenhouse because you don’t know much about Jackson, you’re lucky to have read this article, which gives you a free embrace of Jackson, an advanced JSON library that is more than a little more powerful than Fastjson.

The body of the

There is a bit of talk in the community that if you are still relying on Fastjson, you are probably at an early/intermediate level. This sentence is sure to raise hackles among Fastjson’s most loyal users. Words must have a reason, so this sentence is really too words? And then you go on and on

I’m willing to use the principle of being right: The fact that a bug in Fastjson gets so much attention is undeniably a success.

Misconception description: Don’t misread “reasonable” as “reasonable”, but as “reason”. “Being is reasonable” is correctly understood as: everything that exists has a reason for its existence

Any technology that can become popular and well known has its advantages, even if it has only one advantage. Here’s a look at why Fastjson is gaining traction, and what’s its magic?

Technology selection should not be like dating: yes you only need one reason, no you can…

According to Fastjson?

Recently, though, the community has been overwhelmingly negative about Fastjson due to a security breach. Even so, few would argue outright that Fastjson itself is great, especially when you know that this widely used library came almost entirely from the hands of one person. He was wen Shao, the workman:

Druid is one of the most popular (if not even one) database connection pooling products in the country

Adults see pros and cons; children see right and wrong. The reason it’s popular is because it’s good. Its excellent qualities can be seen on its website:These “advantages” are more straightforward to describe in Chinese:

1. Fast speed

Fastjson is fast compared to other JSON libraries, and since fastjson’s 1.1.x release in 2011, its performance has never been surpassed by other JSON libraries implemented in Java.

Narrating: Fastjson has always had a tight grip on speed/performance

2, widely used

Fastjson is widely used in Alibaba, deployed on tens of thousands of servers, and is widely accepted in the industry. In 2012, it was selected as one of the most popular domestic open source software by Open Source China.

Voice: Alibaba tens of thousands of large-scale cluster instances do scale endorsement, persuasive leverage

3, the test is complete

Fastjson has a large number of Testcases, with over 3321 testcases in 1.2.11. Regression testing is performed for each release to ensure quality stability.

Voice: Single test coverage is high, code robustness is guaranteed

4. Easy to use

The Fastjson API is very concise.

String text = JSON.toJSONString(obj); / / the serialization
VO vo = JSON.parseObject("{... }", VO.class); // deserialize
Copy the code

Voice: No matter you are small white or small white, easy to use, use up barrier-free

5, complete function

Support for generics, support for streaming large text, support for enumerations, support for serialization and deserialization extensions.

Vo: I have enough for this family. You have everything you want

According to the Not Fastjson?

I have a position in this article is an attitude and biased, so it is not appropriate not to come to several reasons. So I will give my personal opinion on the five points listed on the official website (see above) for reference. Whether it is too much to say, let’s take another JSON library to make a comparison. This paper takes Jackson as an example.

Version of the agreement

For comparison purposes, we make a version convention for the JSON library we use:

  • Jackson: 2.10.1
    • The demo code uses the most common high-level API, not the low-level API. After all, it’s not fair to use the underlying API to PK Fastjson, which is not often used
  • Fastjson: 1.2.72
    • only one jar

1. The speed is not that fast

Speed/performance is one of Fastjson’s biggest selling points, and you can see it from its name and logo design.

Without research, there is no right to speak. This article is a series of tests and comparisons for the most common usage scenarios (try to be fair, don’t get too bog down). There are a lot of examples of Fastjson versus Jackson in performance PK on the web, and I’ve written code for multiple scenarios myself. In the end, HOWEVER, I decided to present Robin’s results. I looked at his test scheme (code) to be a little more professional: a performance comparison of several popular JSON libraries. The results are shown in the following two diagrams

General conclusion: BesidesJson-libIt is for fun (it has stopped updating and should not be used in production), Fastjson, Jsckson and Gson are all the same with little difference.

Taking all kinds of test cases, including online and my own test cases, Jackson and Fastjson are considered to be about the same in speed except that Gson is a little worse (Jackson even performs better overall).

With so little variation, does Fastjson’s insistence that it’s the fastest really make sense?

The speed of JSON parsing is never a constraint on system performance

For example, the whole process of a REST call may be 100ms; One operation database, may need dozens of ms; Serialization Deserialization of JSON typically takes only a few ms; This means that different JSON libraries differ in performance within milliseconds; In the overall flow of a REST call, the different JSON libraries have little impact on performance.

In modern applications, even the slowest Gson is adequate; The speed at which documents are parsed is not the only criterion for selection, and may not even be the main criterion. IO optimization, network optimization, parallel processing and other optimization measures, far more effective than choosing a faster library.

In short, if you choose a JSON library with performance as a criterion, you are making a mistake in direction.

2. It’s not that popular

How widely it is used and how popular it is is relative. The most intuitive data is the number of references in Maven, which I screenshot below: Looking at the Lead values, it does not seem to be on an order of magnitude. Of course, I personally don’t think this comparison is particularly objective, for two main reasons:

  1. The earlier open source technology develops, the more people use it, and the more mainstream frameworks support it (such as Spring MVC’s built-in Jackson support), there will be a winner-takes-all effect
  2. Fastjson was a late starter and focused on China

There is no denying that Fastjson is very popular in China, even more than Jackson. Otherwise, the latest security leak will not have so many people eat melon, but this “widely used” you also have to look at dialectically, after all, in the Field of Java in China, Alibaba is the absolute leader.

There are internal reasons for Fastjson’s popularity, such as this frustration:

3. Are the tests really complete?

Well, the only thing I can say about Fastjson is that it doesn’t need to be a highlight because users only care about bugs, the frequency and severity of bugs, not how robust the project is internally.

In the eyes of users: no bugs, no single test line is ok. There are serious bugs, tens of thousands of test cases are not convincing.

4. Is the API really simple?

A: Really. As explained above, this is probably the most important reason you chose to use Jackson as a JSON library.

Of course, the API is easy to use for simple scenarios, and it is not easy to use for complex scenarios. POP is simple,OOP is Complex. But as it happens, using JSON libraries in Web scenarios is mostly simple, so I can’t blame Fastjson for seeing it as a highlight.

5. The functionality is not that complete

The website notes that it supports serialization and deserialization of generics, enumerations, etc. In terms of javabeans + JSON specification, however, Fastjson has quite A few features missing, and this is one of my biggest pet peeves because it doesn’t do what I do anymore. If you’ve done middleware development, framework development, or DDD-driven design development based on it, you know this:

conclusion

Truth is relative, there is no absolute truth. Truth is to make people understand the truth, not to sophistry, not to carry.

In the same way, there is no standard answer for Fastjson or Jackson. This article is just to expound my personal viewpoint and express my usage tendency, for your reference when making decision.

If you’re like me, you want to getJacksonAs yourThe onlyJSON library, then pay attention to me, next I will pay for the column content all moved over to you, free to help you smooth the transition to the world’s best JSON library.

Pay attention to A brother

Author A brother (YourBatman)
Personal site www.yourbatman.cn
E-mail [email protected]
WeChat fsx641385712
Active platform
The public, BAT’s Utopia (ID: BAT-utopia)
Knowledge of the planet BAT’s Utopia
Daily Article recommendations Daily Article recommendations