Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Compilers

From: leichter_jerrold at emc.com (Leichter, Jerry)
Date: Thu, 4 Jan 2007 17:28:03 -0500 (EST)
| Florian Weimer wrote:
| > * Crispin Cowan:
| >   
| >> ljknews wrote:
| >>     
| >>>   2. The compiler market is so immature that some people are still
| >>>      using C, C++ and Java.
| >>>       
| >> I'm with you on the C and C++ argument, but what is immature about Java?
| >> I thought Java was a huge step forward, because for the first time, a
| >> statically typesafe language was widely popular.
| >>     
| > Java is not statically typesafe, see the beloved ArrayStoreException
| > (and other cases, depending what you mean by "statically typesafe").
| >   
| So every language that supports arrays is not statically type safe? How
| else can a language guarantee array bounds checking without having to
| resort to array bounds checking in cases where the indicies are
| dynamically computed?...
That was a bad example.

Java isn't statically typesafe because one can write programs that cast
objects.  The casts are checked - at runtime.  The most obvious place
this shows up is in containers.  Until Java 1.5, containers held
instances of Object.  If you were handed a Set of Circle's, when you
pulled out one instances from the Set, you got an Object.  It was up to
you to cast it to a Circle.  If some inserted a Cube into the class,
your cast would fail with an exception.  (You could also explicitly test
if you wanted.)

Parameterized types in Java 1.5 help to some degree, in that the
compiler effectively checks that only Circle's are ever inserted into
your Set<Circle>, but the model used is very limited, the old constructs
remain - in fact, a constraint was that new and old code interoperate, so
if some code got at your set as just a Set, they could put any Object into
it - and there are still plenty of places where you can lose static
type safety.

It's *possible* to write Java code that uses types conservatively and
never does a cast that could fail at run time.  Then again, you *can*
write C code like that.  But the compiler won't help you.  And there
are all kinds of common Java coding patterns that rely on the dynamic
type system, and can't be written in a purely static type style.

                                                        -- Jerry
Previous By Date Next
Previous By Thread Next

Current thread: