Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Brings Design-By-Contract To Java

Posted by Soulskill on from the putting-a-hit-out-on-bugs dept.

angry tapir writes "Google is developing a set of extensions for Java that should aid in better securing Java programs against buffer overflow attacks. Google has announced that it open sourced a project that its engineers were working on to add a new functionality into Java called Contracts, or Design-By-Contract. 'Contracts exist to check for programmer error, not for user error or environment failures. Any difference between execution with and without runtime contract checking (apart from performance) is by definition a bug. Contracts must never have side effects.'"

24 of 134 comments (clear)

  1. Finally! by goofy183 · · Score: 2

    There have been several projects that have tried to do this before but the developers never saw it through. When annotations were added in JDK5 this was one of the features I've been looking for. Being able to define invariants on the interface will make implementations much more safe and consistent!

    1. Re:Finally! by The+Snowman · · Score: 3, Insightful

      I'm probably digressing OT here, but my own main beef with annotations in Java is that they don't actually serve any real functional purpose that I've ever been able to see beyond documentation, while at the same time they break compatibility with older Java compilers which are unable to compile any source code with annotations in it

      Considering annotations are in Java 5, and Java 5 is no longer supported by Sun/Oracle, I don't really care about Java 4 and earlier compilers.

      Annotations can have great benefits in running code, but you need to use reflection. For example, the product I develop at my job uses them for technical designs. We use a custom annotation to mark up classes that are not yet implemented, so we can design a process flow and actually run through it in the application before it is implemented. A factory pattern class replaces these classes with a generic, configurable replacement on the fly. Often, the most difficult part of the process is defining it, not implementing it. This alone has saved us hundreds if not thousands of hours of time fixing bugs and definitely fewer builds into QA.

      --
      24 beers in a case, 24 hours in a day. Coincidence? I think not!
  2. BOf in Java? by Lord+Ender · · Score: 2, Insightful

    I did not realize buffer overflows were a problem for apps written in Java. Java has built-in "generic" dynamic data structures which should be suitable for 99% of the software any of us write. Why would we ever be manually managing memory in Java? Doing so should be "considered harmful" to a far greater degree than goto statements.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:BOf in Java? by goofy183 · · Score: 5, Informative

      I think that is a poorly written summary. You can't (in pure java and ignoring JVM bugs) overflow buffers. You can however forget to do sanity checking on inputs based on the business rules of your app. That is where this will help. Codifying even simple things like "The argument should never be null" in an annotation on the interface definition helps both document and consistency for implementations of that interface.

    2. Re:BOf in Java? by Johnny+Fusion · · Score: 2
      If you took time to read TFA you may have come across this little tidbit.

      "One of the oldest techniques in the attacker's virtual arsenal, buffer overflows remain a problem. In December, Microsoft identified 2.6 million possible attacks that could be waged using a stack-based buffer overflow in the JRE (Java Runtime Engine)".

      --
      There are two kinds of fool. One says, This is old, and therefore good. And one says, This is new, and therefore better.
    3. Re:BOf in Java? by mswhippingboy · · Score: 2

      I did not realize buffer overflows were a problem for apps written in Java.

      In general, they're not. However, there have been a few bugs in the JRE found over the years that resulted in stack buffer overflows which could have led to an exploit . AFAIK, all of these know bugs have long been fixed. However, there is always the potential that a new bug could be found.

      DBC is not about managing memory for Java, it's simply a tool (using annotations) to allow validation (think ASSERTs) of arguments to methods and the values the methods return.

      --
      Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
    4. Re:BOf in Java? by medv4380 · · Score: 2

      It's not a poorly written summary. TFA actually mentions that the reason for implementing this is to address the Buffer Overflow attacks that have been used against the JRE. Even though google is well meaning in what they are doing I don't think they understand where the problem is at. Most of the buffer overflow attacks were targeting the JRE and that only has a small set of code written in java. The vast majority of the JRE is written in C and C++. Adding Design by Contract standards to Java won't fix those buffer overflow issues. They'd have to add it to C++ and implement it on the whole JRE and that would be a massive rewrite. It might fix things but adding it to Java only will fix things like when a programmer fails to do sanity checks of user input.

    5. Re:BOf in Java? by goofy183 · · Score: 4, Informative

      The problem is TechWorld having no idea what this tool is for. The announcement by Google http://google-opensource.blogspot.com/2011/02/contracts-for-java.html never mentions the word "buffer" and accurately describes this as a tool for pre/post validation of method arguments and return values. Some how TechWorld decided to tie in JVM level buffer overflow issues with a pure Java DbC tool, anyone actually familiar with Java knows at a glance that the two are unrelated.

    6. Re:BOf in Java? by owlstead · · Score: 2

      The Java standard libraries are *primarily* native code? WTF have you been smoking? You can tell the moderators are not very knowledgeable either.

      If somebody could post the percentage of C/C++ code in the Java RE, please do because we need to get rid of FUD like this.

    7. Re:BOf in Java? by nicholas22 · · Score: 3, Informative

      Sorry but you're completely wrong. Java libraries are primarily written in Java you wally.

    8. Re:BOf in Java? by sproketboy · · Score: 2

      MOD PARENT DOWN. Retard most of Java is written in Java.

  3. Trademarked by D+Ninja · · Score: 4, Interesting

    Actually, Google is bringing Programming by Contract to Java. Design by Contract is trademarked by Eiffel Software (and Bertrand Meyer).

    1. Re:Trademarked by trollertron3000 · · Score: 2

      Well that should work out well. We'll just call it that everywhere else and make sure no one in the US ever sees it..

      --
      Tiger Blooded Bi-Winning Machine
  4. Fail by nicholas22 · · Score: 5, Insightful

    It is a String-based implementation, which is awful in terms of consistency, type-checking, etc. and vulnerable in code refactoring. I would stay away or use something more type-safe and IDE-safe.

  5. Too fragile by lehphyro · · Score: 3, Interesting

    Using strings instead of compiled code is too fragile. org.apache.commons.lang.Validate or com.google.common.base.Preconditions are much better for this kind of validation.

  6. Another one? by quivrnglps · · Score: 4, Informative

    According to Wikipedia there are already quite a few projects doing DbC:

    Java, via iContract2, Contract4J, jContractor, Jcontract, C4J, CodePro Analytix, STclass, Jass preprocessor, OVal with AspectJ, Java Modeling Language (JML), SpringContracts for the Spring framework, or Modern Jass, Custos using AspectJ,JavaDbC using AspectJ, JavaTESK using extension of Java.

    Do we really need an entirely new one? If none of those are sufficient, why not build on top of and improve an existing project? Starting over is not always a good thing...

  7. Re:Back to the 80's! by microbox · · Score: 2

    D has had contracts since the get-go. Sometimes I wonder if it would be a better world if all the C and C++ out there was *magically* reimplemented into a better language.

    --

    Like all pain, suffering is a signal that something isn't right
  8. Re:Back to the 80's! by wbhauck · · Score: 2

    There's a subset of Ada called SPARK that has these concepts.

    SPARK (Programming Language)

  9. Bah runtime by subanark · · Score: 2

    I'm still waiting for a decent compile time DbC. Runtime checks won't catch an untested control flow, and when the fault does happen you better hope it happens in your lab and not on a client's computer. You can read my analysis of this in my Master's thesis (which focused on unique references that were ensured to be unique at compile time):
    http://www.worldcat.org/title/applying-uniqueness-to-the-java-language/oclc/701244184&referer=brief_results

  10. Re:No side-effects AT ALL?! by pz · · Score: 3, Insightful

    Isn't throwing an error a side-effect?

    No, because it does not mutate a value, but only changes the control flow.

    I wish I had more time to explain in detail, but that isn't going to happen today, unfortunately. Side-effect in this context is a highly specific term that means, essentially, to change the value of a variable through assignment.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  11. Re:It would mean the contract has been poorly writ by noidentity · · Score: 2

    The idea of contracts is that clients write their code to work with anything which fulfills the contract. So let's say you have some client code written, but then determine that there's a bug in the contract. What does this mean? The client code is either written for the "buggy" contract, or the client code was ALSO buggy and written for the intended contract. At that point, it seems that the client has failed to grasp what the contract is in the first place. The idea is that the contract cannot be buggy, since it is the definition of correct. If your clients code to the contract, you can't go changing it without breaking clients. The contract may be badly-designed, and it's good to avoid bad designs, but once you have clients, to go in and try to fix a "buggy" contract is to water down what contracts mean in the first place. It encourages clients to ignore contracts and code to what they imagine the routine should do. At that point, you might as well abandon contracts because they aren't being used as the definition of what is correct anymore, just a vague guide as to what the routine might do.

  12. DEC did a good one by Animats · · Score: 2

    One of the best ones was the DEC Extended Static Checker for Java in the late 1990s. That project died after Compaq acquired DEC and shut down research. But it formed part of Microsoft's efforts for Spec#, which has a formal verification system.

    Microsoft has had a huge success with formal proof of correctness - the Static Driver Verifier. This is a system which tries to formally prove that a Windows driver can't crash the operating system. All drivers for Windows 7 have to pass this verifier to be signed, It's an impressive system which works by symbolic case analysis. It yields a proof, a counterexample, or times out analyzing too many cases. About 3% of programs time out. (If your kernel driver has undecidable behavior, it needs work.)

    I headed a team that did a proof of correctness system for Pascal back in the early 1980s. That was pushing the limits of what you could do back then; verifying a small program took 45 minutes on a 1 MIPS VAX. Today, with about four orders of magnitude more CPU power, it's a practical technology.

    There have been many attempts to bolt some "design by contract" features onto various languages, but they're usually not very good. The problem is saying things about collections. The hacks that try to do design by contract at run time tend to avoid expressions which examine big data structures, since they have to run them over the whole data structure every time. Real verifiers prove or disprove such things at compile time. It turns out, though, that a few standard cases for collections cover many of the usual things you want to say.

    Another big issue, which Spec# handles and this Google hack apparently doesn't, is the "insideness" issue for object invariants. Object invariants are supposed to be true whenever control enters and exits an object. But what if an object calls one of its own public methods, perhaps through a long chain of calls? Now, control is inside the same object twice. That violates the invariant rule.

    This class of bugs is common in window systems, where all the widget, pane, window, and event objects are frantically calling each other. It also comes up in concurrency, which I don't see Google's hack addressing either.

  13. Re:It's just syntactic sugar anyway by p3d0 · · Score: 2

    Actually Design by Contract is a design discipline, not a bunch of error checks. It's a bit like programming without gotos: the benefit comes not from avoiding typing "goto" into your source code, but rather from the style of reasoning you use when you learn the proper alternatives.

    --
    Patrick Doyle
    I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
  14. .Net Contracts are Better! by Kane+Devaid · · Score: 2

    Or you could use the .Net Code Contracts which do all this with static analysis. Therefore you get proof up front that your contracts will never be violated by non exposed code, and without a performance penalty at run time. If a contract cannot be verified, warnings are given. You can then introduce appropriate branching to provide guarantees as necessary. http://research.microsoft.com/en-us/projects/contracts/