Java is a safe language. Its runtime environment provides strong safety guarantees that any Java application can rely on. Or so we think. We show that the runtime actually does not provide these guarantees—for a large fraction of today's Java code. Unbeknownst to many application developers, the Java runtime includes a "backdoor" that allows expert library and framework developers to circumvent Java's safety guarantees. This backdoor is there by design, and is well known to experts, as it enables them to write high-performance "systems-level" code in Java. For much the same reasons that safe languages are preferred over unsafe languages, these powerful—but unsafe—capabilities in Java should be restricted. They should be made safe by changing the language, the runtime system, or the libraries. At the very least, their use should be restricted. This paper is a step in that direction. We analyzed 74 GB of compiled Java code, spread over 86,479 Java archives, to determine how Java's unsafe capabilities are used in real-world libraries and applications. We found that 25% of Java bytecode archives depend on unsafe third-party Java code, and thus Java's safety guarantees cannot be trusted. We identify 14 different usage patterns of Java's unsafe capabilities, and we provide supporting evidence for why real-world code needs these capabilities. Our long-term goal is to provide a foundation for the design of new language features to regain safety in Java.
Fri 30 OctDisplayed time zone: Eastern Time (US & Canada) change
10:30 - 12:00 | |||
10:30 22mTalk | Using C Language Extensions for Developing Embedded Software: A Case Study OOPSLA Markus Völter itemis, Germany, Arie van Deursen Delft University of Technology, Netherlands, Bernd Kolb itemis AG, Stephan Eberle itemis AG DOI Pre-print Media Attached | ||
10:52 22mTalk | How Scale Affects Structure in Java Programs OOPSLA DOI Pre-print Media Attached File Attached | ||
11:15 22mTalk | Use at Your Own Risk: The Java Unsafe API in the Wild OOPSLA Luis Mastrangelo University of Lugano, Switzerland, Luca Ponzanelli University of Lugano, Switzerland, Andrea Mocci University of Lugano, Switzerland, Michele Lanza University of Lugano, Switzerland, Matthias Hauswirth University of Lugano, Switzerland, Nate Nystrom University of Lugano, Switzerland DOI Media Attached | ||
11:37 22mTalk | Approximate Computation with Outlier Detection in Topaz OOPSLA Sara Achour Massachusetts Institute of Technology, USA, Martin C. Rinard Massachusetts Institute of Technology, USA DOI Media Attached |