Re: The D Programming Language
Niklas Matthies wrote:
On 2006-12-19 18:01, James Kanze wrote:
Niklas Matthies wrote:
[...]
And it's not relevant to
just security. In C++, a string literal has the value that
appears in the code. Period. With many compilers, it's in
write protected memory, so it is physically impossible to change
it. IMHO, this is essential not only for security reasons, but
in order to be able to understand the code. In C++, if I need a
string whose value cannot change after I receive it, I can use
pass by value; from that point on, I operate on a copy of the
original string, and the providing code cannot even see the
string I'm using. This is essential to security, and can also
have an effect on readability. Java's doesn't have pass by
value, and counts on immutability to achieve the same effect.
Agreed.
This is, IMHO, the important issue.
So, whether the value of string literals and private data can change
in Java is a matter of configuration.
You can't configure Java so that it is single threaded, nor that
it use deep copy. Which means that there is no way to prevent
the modification of the String data using the method shown, in
another thread, after the SecurityManager has authorized the
operation, but before the operation has taken place.
What kind of "operation" are you talking about?
The operation *I* am talking about is setting the "accessible" flag
of the respective private field (private data member) of the String
class, so that instances of it can be modified through reflection.
OK. It's already been established that my Java knowledge isn't
completely up-to-date:-). I was unaware of this flag, and since
it is apparently set by default (since I could modify private
fields), at least with Sun's standard JDK, I'd never encountered
it.
For private fields, this flag is false by default,
Only if you use some specific SecurityManager. The default
SecurityManager manager in Sun's JDK allows modifying private
fields without complaining. (Of course, if security is an
issue, you're not doing anything automatically by default,
without finding out first what the default means, and what
you're options are.)
[...]
If you want it secure, you
configure it one way; if you want to enable access by a debugger,
you configure it a different way. The language supports both.
Using the C++ model, you can have both at the same time.
In Java you can also have both at the same time by only allowing
access for the classes of the debugging implementation. Another
example (and motivation) is allowing access for a generic
serialization implementation.
As for C++, there's two possible views: Either the debugger is
considered part of the C++ program, then yes you can have both, but
only with the debugger invoking UB. Or the debugger is not considered
part of of the C++ program (the usual view), but of the implementation,
then when using it to mutate non-volatile private (or const) data in a
way detectable by the program, the implementation obviously stops to
be conforming.
Certainly. A 100% conforming implementation of c++, with no
extensions, isn't very useful anyway. No GUI, no sockets, no
threads, no processes... In general, connecting a debugger to a
process changes a lot, and a C++ program under a debugger, and
interacting with the debugger, isn't a conforming implementation
according to the standard. In addition to changing various
variables in ways which the standard really doesn't condone, you
can terminate the program when it shouldn't terminate, and
doubtlessly break what the standard guarantees in a number of
other ways (like setting a breakpoint, to begin with).
In Java, one could actually distinguish between Java-the-language
and the JVM. The JVM allows more than Java-the-language allows.
Certainly. Since it is written in C or C++, it allows anything
that C or C++ does:-).
Seriously, I've never used a debugger with Java---I rarely use
one with C++ either. But I would expect that it would be simple
a different VM, which allowed user intervention. In many ways,
this corresponds to the model used for C++ debuggers, at least
under Unix. The Unix system interface used for debugging allows
one process to modify memory, etc. of another process, and to
catch its signals. It certainly breaks the memory model defined
in the standard.
Strings are really immutable in Java-the-language. But there's an API
that provides (restricted) access to certain features of the JVM which
allows you to perform operations you wouldn't otherwise be able to
perform from within Java-the-language.
There's a certain similarity with how UB in C++ allows the possibility
of doing things that aren't possible in C++ proper. Only that for Java
the JVM defines the one-and-only behavior.
Of course! Obviously, Java allows undefined behavior. Just
declare the function "native", and you can put all the undefined
behavior you want into it:-).
(With regards to "one-and-only" behavior: there are definitly
cases where the behavior is not specified---where several
different behaviors are allowed. Threads are an obvious
example, but I think floating point has been relaxed as well, so
that you can get different results on two different conforming
implementations.)
--
James Kanze (GABI Software) email:james.kanze@gmail.com
Conseils en informatique orient?e objet/
Beratung in objektorientierter Datenverarbeitung
9 place S?mard, 78210 St.-Cyr-l'?cole, France, +33 (0)1 30 23 00 34
--
[ See http://www.gotw.ca/resources/clcm.htm for info about ]
[ comp.lang.c++.moderated. First time posters: Do this! ]