Update on String Templates (JEP 459)
Maurizio Cimadamore
maurizio.cimadamore at oracle.com
Wed Mar 13 10:29:21 UTC 2024
Hi Tagir,
while subclassing is handy, I think it actively works against the goal
of trying to make string handling any safer.
Let’s consider the case of a /new/ API, that wants to do things the
/right/ way. This API will provide a StringTemplate-accepting factory.
But if clients can supply a value using |"foo" + bar|, then we’re back
to where we started: the new API is no safer than a String-accepting
factory.
Note: there is a big difference between passing |"foo" + bar| and
|"foo\{bar}"|. In the former, the library only gets a string. It has no
way to distinguish between which values were user-provided, and which
ones were constant. In the latter, the string template has a value. The
library might need to analyze that value more carefully as it might come
from outside.
The main value of string templates is to allow clients to capture what
/can change/ and separate it from what /cannot/ change. Attacks
typically lurk in the variable part. But eager interpolation (e.g.
string +) destroys this separation.
> I think that most of the APIs will still provide String overload.
> E.g., for preparing an SQL statement, it's a perfectly reasonable
> scenario to have a constant string as the input. So
> prepareStatement(String) will stay along with
> prepareStatement(StringTemplate). And people will still be able to use
> concatenation. I don't think that the absence of String <:
> StringTemplate relation will protect anybody from using the
> concatenation. On the other hand, if String actually implements
> StringTemplate, it will be a very simple static analysis rule to warn
> if the concatenation occurs in this context. If the expected type for
> concatenation is StringTemplate, then something is definitely wrong.
> Without 'String implements StringTemplate', one will not be able to
> write a concatenation directly in StringTemplate context. Instead,
> String-accepting overload will be used, and the expected type will be
> String, so static analyzer will have to guess whether it's dangerous
> to use the concatenation here. In short, I think that it's actually an
> advantage: we have an additional hint here that concatenation is
> undesired. Even compilation warning could be possible to implement.
>
> So, I don't see these points as real disadvantages. I definitely like
> this approach much more than adding any kind of implicit conversion or
> another literal syntax, which would complicate the specification much
> more.
I don’t buy that, since there’s already String-accepting API in the
wild, then we can never be safer than that. String-accepting variant can
be deprecated, if needs be.
Maurizio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/amber-spec-observers/attachments/20240313/32b1006b/attachment-0001.htm>
More information about the amber-spec-observers
mailing list