Gosling on Computing

← Back to Stories (view on slashdot.org)

Posted by CowboyNeal on Thursday August 5, 2004 @07:05PM from the teco-shoutouts dept.

CowboyRobot writes "ACM Queue has Eric Allman (creator of Sendmail) interviewing James Gosling (creator of Java) and the conversation covers many aspects of computing today, including the state of security, comparisons of languages and OSs, and the future of virtual machines. 'At the lowest level, you have to know that the boundaries around the piece of software are completely known and contained. So, for example, in Java, you can't go outside the bounds of an array. Ever. Period. Turning off array subscripting is not an option.'"

22 of 74 comments (clear)

Min score:

Reason:

Sort:

Good idea. by TheLink · 2004-08-05 21:32 · Score: 4, Insightful

It's dangerous to use a programming language where common programmer mistakes allow "remote attackers to execute arbitrary code of their choice with the process's privileges".

Once they do that we'll only have to worry about stuff like SQL injection (which can result in execution of arbitrary code), which can be reduced/near eliminated by making people use prepared statements.

In some cases it'll still be necessary to use the unsafe languages, but nearly 100% of the programmers in the world obviously can't code safely in C or similarly vulnerable languages.

Even Eric Allman couldn't (see Sendmail for evidence).
--
- Too many replies beneath your current threshold
1. Re:Good idea. by Anonymous Coward · 2004-08-05 21:51 · Score: 2, Insightful
  
  But that's not a reason to use Java. Safety of that sort is perfectly possible in languages compiled to native code; ML or compiled Lisp can give you the safety of Java, plus the convenience of type inference or dynamic typing, plus the speed of C.
  
  Not that I'd dream of barely-on-topic evangelism or anything...
Gosling, Java? Hmmm..... by Cyberax · 2004-08-05 21:37 · Score: 5, Informative

I lost all my respect to Gosling after a clumsy attempt to add generics to Java.

The right way to add generics to Java is a radical modification of JVM (Java Virtual Machine), but Sun didn't want to it. So they made an attempt to add generics to Java language without touching JVM. The result of this attempt is a complex scheme of name mangling (just like C++), and some unnecessary overhead. And such implementation _still_ requires some JVM changes and is incompatible with old JVMs. So now we have an ugly generics in Java and Java 5.0 (rebranded J2SE 1.5) incompatible with previous versions.
1. Re:Gosling, Java? Hmmm..... by Bluelive · 2004-08-05 22:28 · Score: 2, Insightful
  
  Not really something you can hold gosling personally responsible for. And java generics arent as bad as you try to make them seem.
2. Re:Gosling, Java? Hmmm..... by Massacrifice · 2004-08-06 01:44 · Score: 2, Interesting
  
  And what exactly should this implementation have been? Its easy to criticize, but I would like to know what you are proposing instead. Really.
  
  Because from what I read, java generics look very usable. My only complaint is that they werent in JDK 1.4.
  
  --
  -- Home is where you eat your heart out.
3. Re:Gosling, Java? Hmmm..... by Cyberax · 2004-08-06 03:10 · Score: 2, Insightful
  
  Take a look at C# 2.0 draft. That's the right way to implement generics.
  
  Basicly, Java generic classes are common classes with some compile-time information. Compiler automaticaly inserts type casts when it's neccessary. But resulting byte-code is just the same code with casts from Object. So the only advantage is more typesafeness.
  
  In C# 2.0 generic class are not real classes, they are templates (as in C++) for classes with erased type information. CLR (Common Language Runtime) instantiates parametrized class when it's neccessary (in JIT-time), during instantiation erased types are substituted with specified types, it's the same mechanism as used in C++. Advantages of this implementation: faster code (no redundant casts), smaller size, ability to parametrize templates with promitive types.
4. Re:Gosling, Java? Hmmm..... by Laxitive · 2004-08-06 03:24 · Score: 4, Interesting
  
  I agree with your sentiment, to a limit.
  
  I don't think the generics in Java are very ugly at all. The interface - i.e. the syntax itself - is reasonably clean. The implementation ends up being just a fallback to the safe-dynamic-casting functionality of the JVM, but you don't know that when you actually use the generics.
  
  I think the major benefit of generics is that developers can structure their code easier. They can tell the compiler that something is a List of Strings, and not a List of Objects. The performance aspect of it is less important.
  
  Also, you are not considering that there are low-level VM operations that can mollify, to a significant degree, the potential performance hits caused by dynamic casting.
  
  If you read papers related to Self (a Sun research language, based on smalltalk, using prototype-based OO semantics), you'll notice that there was a lot of work done on doing fast dynamic type-inferencing. A lot of that work has been rolled back into Java.
  
  So let's say you have a List of Strings in Java. And there's a location in the code which grabs the first element from a list, and that first element happens to be a String all the time, or most of the time (this occurrs very frequently even in OO code - even though the strict semantics might imply polymorphic behaviour, in practice, a lot of code ends up being monomorphic anyway). The Java VM will actually figure that out at runtime, and compile a special version of the code, which does one pointer check (to see if the object you're pulling out is a string), and if that pointer check succeeds, makes a call to a custom-compiled version of the method based on that type assumption. If that check fails, then it falls back to less efficient code. So that piece of code that ends up dealing with Strings in practice, ends up doing only a single pointer check, instead of the heavyweight operations needed for a blind dynamic cache.
  
  Even when you have limited polymorphic behaviour (code that is polymorphic over a handful of tyes), the java VM optimizes it by using polymorphic inline caches (I think this was added in the 1.5.* VMs).
  
  And the nice thing is, this happens on the dynamic properties of the code, not just the static properties. So if you have some code that, according to the syntax, deals with plain Objects, but in practice, deals with instances of Foo a vast majority of the time.. then most of the time, it WILL execute with the type-assumption, with the added cost of a pointer check.
  
  So yes, it would be nice if the generics system had support at the bytecode level. But it's not as much of a hit on performance as one might think. The jitter and its low-level optimizations compensate for that quite a bit.
  
  I'm pretty sure Sun developers were aware of this when they decided not to mess with the VM bytecode definition when adding generics support to the Java language.
  
  -Laxitive
5. Re:Gosling, Java? Hmmm..... by bay43270 · 2004-08-06 03:53 · Score: 3, Insightful
  
  Moderators seem to be confusing Informative with Offtopic. What does Gosling talking about security have to do with Sun implementing generics? While sun was adding generics to Java, Gosling was building IDE components. Why blame him for Sun's reluctance to alter the JVM?
  
  As far as how Sun implemented generics, the decision was purely political. Even Sun knows their solution is technically inferior. That doesn't make it wrong. They weighed the pros and cons and arrived at a different solution than you did, not because you know something they don't, but because they weighted the results differently.
6. Re:Gosling, Java? Hmmm..... by Paradise+Pete · 2004-08-06 04:39 · Score: 2, Funny
  
  I lost all my respect to Gosling after a clumsy attempt to add generics to Java.
  So you had respect for him, he does something in what you consider to be a clumsy way, and now you have NO respect for him? So if Gosling showed up and offered to help you with some project you'd shoo him away out of disrespect?
7. Re:Gosling, Java? Hmmm..... by Cyberax · 2004-08-06 05:08 · Score: 2, Informative
  
  Look at Retroweaver. This is a project aimed to make Java 1.5 features work on previous JVMs (by weaving bytecode). They have a nice explanation why JDK 1.5 is incompatible with 1.4 somewhere on their site.
The problems of code injection by Anonymous+Brave+Guy · 2004-08-05 23:40 · Score: 4, Interesting

Once they do that we'll only have to worry about stuff like SQL injection (which can result in execution of arbitrary code), which can be reduced/near eliminated by making people use prepared statements.

Yep, that's a serious problem, and one that gets far less "press" than the sort of buffer over-run vulnerabilities you get in careless C or C++.

The one that always astounds me is that languages with an eval-type statement -- that is, ones which can parse and execute an arbitrary string at run-time -- don't get slated for their security problems way more often. We use Perl to write CGI scripts all the time, and its variable interpolation can be waaaaay more dangerous than any potential pointer nasties in C!

It's notable that Java does not have such a function. It does, however, have the usual problem with allowing arbitrary strings to be interpreted as statements through its SQL API, but given the nature of SQL I'm not sure how realistic it is to address that anyway...

--
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
1. Re:The problems of code injection by TheLink · 2004-08-06 04:17 · Score: 2, Interesting
  
  But it's quite different if a programmer intentionally executes a user supplied arbitrary string without filtering it. Not the same as a programmer makes a low-level mistake (off by one, not having the numbers right) and then user supplied arbitrary code is executed.
  
  The first is a "not thinking straight" problem and requires stupidity/ignorance which is common. The second is a "typo class" problem and only requires imperfection which is nearly ubiquitous -even smart and knowlegeable people make such mistakes (some even do it regularly).
  
  As for other languages: I crashed a forth webserver the first time I tried :). I used a ' as password when it prompted for username and password for an access controlled URL. Turns out ' is a special forth keyword so Boom!
  
  As the author of the webserver said when I emailed him: "the line between CODE and DATA is blurred by Lisp and obliterated by Forth. :)"
  
  That's dangerous if you don't know what you're doing...
  
  At least with perl if you turn on tainting and "use strict" a lot of exploits become very difficult. Whereas with C you need to keep remembering to do the right thing. Global "make things safer" switches are good for most people.
  
  If you ALWAYS use SQL prepared statements in Java, in one sweep you make SQL injection attacks a lot harder. After that you need to make sure that LIKE queries don't have unwanted wildcards, and that stuff like a=b-parameter is either a=b - parameter or a=b-(parameter) so that if parameter is a negative number it doesn't create an SQL comment.
  
  Then either you turn off multibyte/multilingual support or hope that the database implements it correctly. There was a bug in a database where a particular invalid multibyte word caused the following character to be "eaten" up. Imagine if the following character was a ' or \. The DB developer who mentioned the prob didn't even realize the severity of that prob and I had to give examples. Eye-opener...
  --
  
  Too many replies beneath your current threshold
What about turning off bounds checking? by Chemisor · 2004-08-06 01:59 · Score: 2, Interesting

> for example, in Java, you can't go outside the bounds of an array. Ever. Period.

As I recall, it used to be possible to turn off runtime bounds checking. I also think that most people would do this once the code is debugged. Did this feature get disabled recently?
1. Re:What about turning off bounds checking? by Anonymous Coward · 2004-08-06 03:50 · Score: 2, Insightful
  
  As I recall, it used to be possible to turn off runtime bounds checking. I also think that most people would do this once the code is debugged. Did this feature get disabled recently?
  
  The language is defined so that this is impossible. See here. If you were to disable bounds checking, then you would be violating the language spec, and therefore it would not be Java. It would be the same if you wrote a JVM that ran bytecode but never checked array accesses. This sort of stuff may be useful for debugging or academic purposes, but it's not something one can do without redefining what it means to be Java.
No Generics until 2006-2007 ?? by fforw · 2004-08-06 01:59 · Score: 3, Informative

Generics are non-existent to me. They won't be anywhere around until 2006-2007.
what are you talking about? the 1.5 release is already at "beta 2". So we will have a release version in autumn. Netbeans will reach it's beta for the 4.0 release soon, so there will be a matching, open-source IDE, too.
And all that before even 2005.

--
while (!asleep()) sheep++
1. Re:No Generics until 2006-2007 ?? by Cyberax · 2004-08-06 03:51 · Score: 2, Informative
  
  No. This is just a FUD.
  
  .NET bytecodes has a well-known "verifiable subset" which can be automatically verified to be correct just like Java bytecode. CLR can be configured to reject non-safe code in some domains and accept it in another domains. For example, you can configure CLR to behave just like an applet sandbox for downloaded applications.
  
  I repeat, Java bytecode is just a subset of IL. So you can do in .NET everything you can do in Java.
2. Re:No Generics until 2006-2007 ?? by angel'o'sphere · 2004-08-07 10:39 · Score: 2, Insightful
  
  How can Java Byte Code be a subset of IL byte code?
  
  JBC is completely stack oriented and very close to UCSD pCode. CLR is register oriented ... no way that you can 'map' the one to the other by changing code words. You have to restructure and recompile one byte code to the other.
  
  The VMs have completely different abstraction levels as well. Java has no assemblies, they use the more generic approach via class loaders.
  
  angel'o'sphere
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
JVM and virtual servers by gtrubetskoy · 2004-08-06 03:04 · Score: 5, Insightful

I like Java as a language, what I don't like is the JVM.

In this article he mentions that the idea for the JVM came from the days when he wrote an emulator and found that his emulator actually performed better than the compiled C code. With the most modern JVM's, tests show that their performance is very close to, and often exceeds that of compiled code.

But the problem is that this is done at the expense of the performance of the overall server. UN*X (and other OS's) go to great lengths to make different programs perform and share resources in the most efficient manner. Scheduling, memory management, IO optimization, all that wonderful stuff, that makes a bear like emacs start almost instantaneously even on an old P90.

As is evident from my sig, I've been spending quite a bit of time in the past year tinkering with virtualization (The Linux Vserver in particular). The amazing thing is that all the optimizations of Linux still apply even if you're running two dozen virtual servers on the same machine (the code for emacs is still shared across processes, even in different virtual servers). Except for, sadly, the JVM. This is why you see many VPS hosting providers forbid running Java and sell a separate "Java server" at a much higher price. And we're considering doing the same. In our experience, a typical VPS customer running Apache, sendmail and a few other things uses 200-400MB of virtual memory, much of which is shared, whereas a customer running Tomcat or, even worse, JBoss use 1-3GB of virtual memory, next to none of which is shared. (Note that virtual memory != physical memory, but that's a separate discussion.

Given that virtualization is becoming more and more popular these days (and even Solaris now has "zones", which are same thing as Linux Vserver or FreeBSD jails), I think the folks at Sun need to think about where the JVM fits into a virtual server.
1. Re:JVM and virtual servers by HappyClown · 2004-08-12 22:43 · Score: 2, Informative
  
  Agreed this is indeed a problem, JVMs can be quite memory hungry. However there are several ways to address this. First of all, it's possible to have a single application server instance host multiple web applications. In fact, this is half the point of having an application server in the first place! Sure there's extra effort involved in getting the security and other configuration right, but it will save you gobs and gobs of memory.
  
  Additionally, Sun will be providing new functionality in J2SE 1.6 (6.0?), due out in beta this year, to allow JVM resources to be shared across separate instances of the JVM.
  
  Take a look at http://research.sun.com/projects/barcelona/papers/ oopsla00.pdf to see how Sun plan on addressing this.
Re:Java snake oil by Laxitive · 2004-08-06 03:35 · Score: 2, Insightful

The Java snail-oil salesmen try to convince you that your code will be bug free because certain classes of errors just can't happen. Again, what crap. They can happen. The only thing the JVM does is tell you precisely when they happen. Is this better than insideous bugs in C that change memory they shouldn't but don't crash as a result until later? Certainly. But the bugs still happen in Java. And they can be insideous in different ways.

Ah, snail oil, it does wonders for the skin ;)

Anyway, yes, it IS better to know WHAT is happening and WHEN it happens, than for it to blindly happen and cause problems later. This is because it bounds the code and its runtime behaviour. A NullPointerException or array out of bounds exception is not nearly as insidious as random memory getting clobbered. For one, it eliminates an entire class of possible bugs: buffer overflows. They simply wont happen. Knowing that there will be certain strict bounds on the runtime behaviour of the program is extremely important.

-Laxitive
Re:Java snake oil by Anonymous Coward · 2004-08-06 03:43 · Score: 3, Insightful

The Java snail-oil salesmen try to convince you that your code will be bug free because certain classes of errors just can't happen. Again, what crap. They can happen. The only thing the JVM does is tell you precisely when they happen. Is this better than insideous bugs in C that change memory they shouldn't but don't crash as a result until later? Certainly. But the bugs still happen in Java. And they can be insideous in different ways.

Calm down, buddy. I never saw anything that said that Java will eliminate every bug known to man. I think everyone understands that "you can't go outside the bounds of an array" means "you can't go off the end of an array, corrupt memory, and do god-knows what to your application's state". You openly admit that this is better, yet you attack the "snake oil salesman" for bringing it up. It sounds like you have an axe to grind.
Re:Java snake oil by Shillo · 2004-08-13 00:07 · Score: 2, Insightful

Hear, hear!

My coworker is currently recovering from 3 days' bugfixing session.

In C++, he called a virtual method off uninitialised pointer. The random piece of code that got run somehow managed not to crash the program immediately. Instead, it overran stack in random places. The program would crash in a corrupted STL list, in a completely unrelated spot. And it wasn't compatible with Valgrind.

Frankly, I'd take bugs in Java code instead of this anytime.

--

--
I refuse to use .sig