[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: the benefits of immutability

On Tuesday, August 19, 2003, at 04:09  PM, Perry E. Metzger wrote:
> Sure, but my point is that everything in sight (see StringBuffer,
> which is pretty obviously mutable) was made final by Java's designers,
> on the premise, presumably, that they knew everything you would ever
> want such an object to do.

Okay, I found a old usenet posting explaining why StringBuffer is final 
-- it's for security:

> Message-ID: <3BC4FE13.AA7333D4@zetnet.co.uk>
> Date: Thu, 11 Oct 2001 03:04:03 +0100
> From: David Hopwood <david.hopwood@zetnet.co.uk>
> Newsgroups: comp.lang.java.machine
> Subject: Re: String/Integer/etc. final why?
> "Stuart D. Gathman" wrote:
>> In article <2695edf1.0110100937.61cf0635@posting.google.com>, "Pat
>> LaVarre" <ppaatt@aol.com> wrote:
>>> I think I see that making String a class rather than an interface 
>>> frees
>>> security-conscious classes from the work of converting their String
>>> parameters to ImmutableString's.
>>> But I don't see the point of making the String class final.
>> An extended String class could contain mutable fields.  By decalring 
>> all
>> existing methods final, the security requirements would (probably) be 
>> met
>> (since these methods could never access any additional mutable 
>> fields) -
>> but it is simpler and safer to make the whole class final.
>> The class we should, however,  be able to extend is StringBuffer.  
>> Why is
>> StringBuffer final???
> StringBuffer needs to be able to convert itself to a String 
> efficiently,
> i.e. without copying if the char[] is not shared. That is implemented 
> by
> having a package-access method in String that is called by
> StringBuffer.toString(). If StringBuffer were non-final and its fields
> were protected, say, then this wouldn't work, because it would never be
> possible to guarantee that the char[] is not shared with untrusted 
> code.
> However, it would be possible to securely make StringBuffer non-final
> (in a way that doesn't completely cripple its interface to subclasses)
> by doing something like the following:
>  - make all fields private (not protected).
>  - add a flag 'do_not_share' (initially false).
>  - in order to allow subclasses to get at the char[], add a protected
>    method getInternalArray that does the following:
>      copy the char[] if it is shared with a String.
>      set the do_not_share flag.
>      return the char[] (the new one, if it was copied).
>  - change toString() so that it copies the char[] first if do_not_share
>    is set.
>  - some of the methods need to be made final - at least toString and
>    getInternalArray, and possibly others.
>  - think about potential race conditions a lot more thoroughly than
>    I have time to do now.
> In any case, getting this right is more complicated than it looks.
> ISTR that Sun did at one point (in a beta version?) attempt to make
> StringBuffer non-final, and they introduced a security bug as a result.
> In the next version StringBuffer was final again.
> It would be worth submitting the above as an RFE, I think. I haven't 
> got
> time to do that myself, but if anyone else wants to prepare one, I'd be
> happy to look over it for security problems.