Luis Mastrangelo
Luca Ponzanelli
Michele Lanza
Matthias Hauswirth
ABSTRACT
Java is a safe language. Its runtime environment provides strong safety guarantees that any Java application can rely on. Or so we think. We show that the runtime actually does not provide these guarantees---for a large fraction of today's Java code. Unbeknownst to many application developers, the Java runtime includes a "backdoor" that allows expert library and framework developers to circumvent Java's safety guarantees. This backdoor is there by design, and is well known to experts, as it enables them to write high-performance "systems-level" code in Java. For much the same reasons that safe languages are preferred over unsafe languages, these powerful---but unsafe---capabilities in Java should be restricted. They should be made safe by changing the language, the runtime system, or the libraries. At the very least, their use should be restricted. This paper is a step in that direction. We analyzed 74 GB of compiled Java code, spread over 86,479 Java archives, to determine how Java's unsafe capabilities are used in real-world libraries and applications. We found that 25% of Java bytecode archives depend on unsafe third-party Java code, and thus Java's safety guarantees cannot be trusted. We identify 14 different usage patterns of Java's unsafe capabilities, and we provide supporting evidence for why real-world code needs these capabilities. Our long-term goal is to provide a foundation for the design of new language features to regain safety in Java.
Supplemental Material
Available for Download
This auxiliary material contains a VirtualBox Virtual Machine that allows you to reproduce the evaluation done in the paper. For more information, check readme.pdf inside the zip file.
- B. Alpern, S. Augart, S. M. Blackburn, M. Butrico, A. Cocchi, P. Cheng, J. Dolby, S. Fink, D. Grove, M. Hind, K. S. McKinley, M. Mergen, J. E. B. Moss, T. Ngo, and V. Sarkar. The Jikes Research Virtual Machine Project: Building an Opensource Research Community. IBM Syst. J., 44(2):399–417, January 2005. Google Scholar
Digital Library
- Alberto Bacchelli, Anthony Cleve, Michele Lanza, and Andrea Mocci. Extracting structured data from natural language documents with island parsing. In Proceedings of ASE 2011 (26th IEEE/ACM International Conference On Automated Software Engineering), pages 476–479, 2011. Google ScholarDigital Library
- David F. Bacon, Perry Cheng, and V. T. Rajan. A real-time garbage collector with low overhead and consistent utilization. In Proceedings of the 30th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’03, pages 285–298, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- Oscar Calla´u, Romain Robbes, Éric Tanter, and David Röthlisberger. How developers use the dynamic features of programming languages: The case of Smalltalk. In Proceedings of the 8th Working Conference on Mining Software Repositories, MSR ’11, pages 23–32, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Roman Kennke Christine H. Flood. JEP 189: Shenandoah: An Ultra-Low-Pause-Time Garbage Collector. http: //openjdk.java.net/jeps/189, 2014.Google Scholar
- Robert Dyer, Hridesh Rajan, Hoan Anh Nguyen, and Tien N. Nguyen. Mining billions of AST nodes to study actual and potential usage of Java language features. In 36th International Conference on Software Engineering, ICSE’14, pages 779–790, June 2014. Google ScholarDigital Library
- Daniel Frampton, Stephen M. Blackburn, Perry Cheng, Robin J. Garner, David Grove, J. Eliot B. Moss, and Sergey I. Salishev. Demystifying Magic: High-level Lowlevel Programming. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, VEE ’09, pages 81–90, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- Milos Gligoric, Darko Marinov, and Sam Kamin. CoDeSe: Fast Deserialization via Code Generation. In Proceedings of the 2011 International Symposium on Software Testing and Analysis, ISSTA ’11, pages 298–308, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pages 1025–1035, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- James Gosling, Bill Joy, Guy L. Steele, Jr., Gilad Bracha, and Alex Buckley. The Java Language Specification, Java SE 7 Edition. Addison-Wesley Professional, 2013. Google ScholarDigital Library
- Mark Grechanik, Collin McMillan, Luca DeFerrari, Marco Comi, Stefano Crespi, Denys Poshyvanyk, Chen Fu, Qing Xie, and Carlo Ghezzi. An empirical investigation into a largescale Java open source code repository. In Proceedings of the 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM ’10, pages 11:1–11:10, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- Alex Holkner and James Harland. Evaluating the dynamic behaviour of Python applications. In Proceedings of the Thirty-Second Australasian Conference on Computer Science - Volume 91, ACSC ’09, pages 19–28, Darlinghurst, Australia, Australia, 2009. Australian Computer Society, Inc. Google ScholarDigital Library
- Guy Korland, Nir Shavit, and Pascal Felber. Noninvasive Concurrency with Java STM. In Communications of the ACM, Invited Review Paper, page 19 pages, 2010.Google Scholar
- Eugene Kuleshov. Using the ASM framework to implement common Java bytecode transformation patterns. In Conference on Aspect Oriented Software Development (AOSD): Industry Track, 2007.Google Scholar
- Doug Lea. JEP 193: Enhanced Volatiles. http://openjdk. java.net/jeps/193, 2014.Google Scholar
- Clemens Mayer, Stefan Hanenberg, Romain Robbes, Éric Tanter, and Andreas Stefik. An empirical study of the influence of static type systems on the usability of undocumented software. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA ’12, pages 683–702, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- Leon Moonen. Generating robust parsers using island grammars. In Proceedings of WCRE 2001 (8th Working Conference on Reverse Engineering), pages 13–22. IEEE CS, 2001. Google ScholarDigital Library
- Charles Oliver Nutter. JEP 191: Foreign Function Interface. http://openjdk.java.net/jeps/191, 2014.Google Scholar
- OpenJDK. Project Sumatra. http://openjdk.java.net/ projects/sumatra/, 2013.Google Scholar
- Luca Ponzanelli, Andrea Mocci, and Michele Lanza. StORMeD: Stack Overflow ready made data. In Proceedings of MSR 2015 (12th Working Conference on Mining Software Repositories), page to be published. ACM Press, 2015. Google ScholarDigital Library
- Mario Pukall, Christian Kästner, Walter Cazzola, Sebastian Götz, Alexander Grebhahn, Reimar Schröter, and Gunter Saake. JavAdaptor-Flexible runtime updates of Java applications. Software: Practice and Experience, 43(2):153–185, 2013.Google ScholarDigital Library
- Xin Qi and Andrew C. Myers. Masked types for sound object initialization. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’09, pages 53–65, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. The eval that men do: A large-scale study of the use of eval in JavaScript applications. In Proceedings of the 25th European Conference on Object-oriented Programming, ECOOP’11, pages 52–78, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- Gregor Richards, Sylvain Lebresne, Brian Burg, and Jan Vitek. An analysis of the dynamic behavior of JavaScript programs. In Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’10, pages 1–12, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- John Rose, Brian Goetz, and Guy Steele. State of the Values. http://cr.openjdk.java.net/˜jrose/values/ values-0.html, 2014.Google Scholar
- John R. Rose. Arrays 2.0. http://cr.openjdk.java.net/ ˜jrose/pres/201207-Arrays-2.pdf, 2012.Google Scholar
- John R. Rose. The isthmus in the VM. https://blogs. oracle.com/jrose/entry/the_isthmus_in_the_vm, 2014.Google Scholar
- Paul Sandoz. Safety not guaranteed: sun.misc.Unsafe and the quest for safe alternatives. http://cr.openjdk.java.net/˜psandoz/ dv14-uk-paul-sandoz-unsafe-the-situation.pdf, 2014. Oracle Inc. {Online; accessed 29-January-2015}.Google Scholar
- Paul Sandoz. Personal communication, 2015.Google Scholar
- Fridtjof Siebert. Eliminating external fragmentation in a nonmoving garbage collector for Java. In Proceedings of the 2000 International Conference on Compilers, Architecture, and Synthesis for Embedded Systems, CASES ’00, pages 9– 17, New York, NY, USA, 2000. ACM. Google ScholarDigital Library
Index Terms
- Use at your own risk: the Java unsafe API in the wild
Recommendations
Use at your own risk: the Java unsafe API in the wild
OOPSLA '15Java is a safe language. Its runtime environment provides strong safety guarantees that any Java application can rely on. Or so we think. We show that the runtime actually does not provide these guarantees---for a large fraction of today's Java code. ...
Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine
This article aims to explore JNI features and to discover fundamental operations of the Java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. ...
Java Vector API: Benchmarking and Performance Analysis
CC 2023: Proceedings of the 32nd ACM SIGPLAN International Conference on Compiler ConstructionThe Java Vector API is a new module introduced in Java 16, allowing developers to concisely express vector computations. The API promises both high performance, achieved via the runtime compilation of vector operations to hardware vector instructions, ...
Comments