Paul J. Lucas said:
Chris Smith said:
Although programmer-safety is nice, it isn't the main goal behind Java's
memory model. The more important concern is security-safety.
[ snip ]
I don't see what that's got to do with GC or Java's memory
model.
I suppose I wasn't clear in explaining it. Basically, Java security (in
environments where there is a SecurityManager, such as applets, EJBs,
many servlet deployments, app-specific plugin code, etc.) relies on
privileged Java code to check and prevent unauthorized operations. The
ability of unprivileged code to change random bits of memory on the heap
would obviously break that model. Unprivileged code, for example,
cannot be allowed to change the state of an instance of class
java.security.Policy!
If you allowed dangling pointers (that is, pointers to memory that has
since been deallocated), then you have no idea what you're allowing
unprivileged code to do. If that code is smart enough, it will
eventually find a way to modify something it shouldn't.
In practice, there are more subtle versions of this attack that would be
easier to pull off... for example, by mutating an instance of String you
could circumvent all manner of security checks. Obtaining a dangling
pointer to memory that is occupied by a String would be far easier than
doing the same for a Policy object. But the concept is the same in
either case. If Java thinks you've got a reference to a byte[], then
you could modify either data structure imperviously.
That's why it's absolutely critical that the user should never be able
to obtain a dangling pointer in Java. (At least without the use of JNI.
JNI screws up the whole security model anyway.)
Fine. Rather than have a special kind of reference, have a
special kind of class:
public counted class MyClass {
// ...
}
Then the JVM knows exactly which classes are reference counted.
Any class derived from a counted class is also counted.
That helps a little, perhaps... but all references to Object still need
to contain reference counting code. That cripples the Collections API
for everyone, whether they are reference-counting or not.
--
www.designacourse.com
The Easiest Way To Train Anyone... Anywhere.
Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation