RFC: AbstractStringBuilder sharing its buffer with String
Vitaly Davidovich
vitalyd at gmail.com
Mon Nov 30 14:19:49 UTC 2015
Hi Peter,
I see your point about someone deliberately doing this to break String
invariants. But by this logic, everything should be "threadsafe" in case
someone attempts to break it via concurrency.
sent from my phone
On Nov 28, 2015 7:19 PM, "Peter Levart" <peter.levart at gmail.com> wrote:
>
>
> On 11/28/2015 08:19 PM, Vitaly Davidovich wrote:
>
> Is that a valid example given StringBuilder isn't threadsafe to begin
> with? If the SB instance is shared among threads that perform writes to it
> without external synchronization, it's a bug in that code. Am I missing
> something?
>
>
> That "bug" might be intentional. Produced to circumvent security check.
> String is trusted to be immutable. For example here:
>
> public FileInputStream(File file) throws FileNotFoundException {
> String name = (file != null ? file.getPath() : null);
> SecurityManager security = System.getSecurityManager();
> if (security != null) {
> security.checkRead(name);
> }
> if (name == null) {
> throw new NullPointerException();
> }
> if (file.isInvalid()) {
> throw new FileNotFoundException("Invalid file path");
> }
> fd = new FileDescriptor();
> fd.attach(this);
> path = name;
> open(name);
> }
>
>
> ...the trust is that it doesn't change between calls to:
>
> security.checkRead(name);
>
> and:
>
> open(name);
>
>
> You'd have to ensure that the returned String is stable and effectively
> immutable though, which means the underlying byte[] has to be released by
> SB right before it's mutated if it's shared, which I think Ivan's patch is
> doing (from a quick glance).
>
>
> But there's a race in code (even if 'shared' and 'value' were volatile),
> which I think is impossible to fix in StringBuilder without introducing
> locking.
>
> Sequence of operations (referring to quoted example below):
>
> - Thread 2 executes unshareValue() 1st while 'value' is not shared yet,
> which does nothing.
> - Thread 1 sets shared = true and creates a String with 'value' and
> returns it
> - Thread 2 proceeds with mutation of 'value' which is now shared with
> String in thread 1
>
>
>
> It would be possible to create a StringBuilder-like class (even a subclass
> of AbstractStringBuilder) that would be safe to use and would share the
> array with String with minimal overhead for mutative operations, but such
> class would not be compatible with StringBuilder. For example, using
> standard trick that limits the use of an instance to the thread that
> constructed it:
>
> public class SingleThreadedStringBuilder extends AbstractStringBuilder {
>
> private Thread constructingThread = Thread.currentThread();
>
> // and then in each mutative operation...
>
> @Override
> public SingleThreadedStringBuilder append(CharSequence s) {
> if (Thread.currentThread() != constructingThread) throw new
> IllegalStateException();
> super.append(s);
> return this;
> }
>
> // it could even be a one-shot object, so it could become unusable
> after a call to toString()
>
> @Override
> public String toString() {
> if (Thread.currentThread() != constructingThread) throw new
> IllegalStateException();
> constructingThread = null;
>
> // create and return a String, possibly passing the 'value' array
> by reference
> ...
> }
>
>
> Such class could be used for string concatenation, but I think JEP280 has
> a better answer for that and more.
>
> Regards, Peter
>
> sent from my phone
> On Nov 27, 2015 10:16 AM, "Peter Levart" <peter.levart at gmail.com> wrote:
>
>>
>>
>> On 11/27/2015 01:39 PM, Ivan Gerasimov wrote:
>>
>>> Hello!
>>>
>>> Prior to Java5, StringBuffer used to be able to share its internal
>>> char[] buffer with the String, returned with toString().
>>> With introducing of the new StringBuilder class this functionality was
>>> removed.
>>>
>>> It seems tempting to reintroduce this feature now in
>>> AbstractStringBuilder.
>>> The rationale here is that StringBuilder already provides a way of
>>> accepting the hint about the result's size.
>>> The constructor with the explicitly specified capacity is used for
>>> increasing the efficiency of strings concatenations.
>>> Optimizing this case by avoiding additional memory allocation and
>>> copying looks sensible to me.
>>>
>>> Here's the draft webrev
>>> http://cr.openjdk.java.net/~igerasim/XXXXXXX-ASB-shared-value/00/webrev/
>>>
>>
>> It is tempting, yes. But I think there was a reason that this was dropped
>> when StringBuilder was introduced and that reason was thread-safety.
>> StringBuilder doesn't use any synchronization. If a concurrent thread gets
>> a reference to a StringBuilder and executes mutating operations while some
>> other thread calls toString() on the same StringBuilder, then returned
>> String could appear to be changing it's content (be mutable), which can
>> have security implications:
>>
>> 413 public String toString() {
>> 414 final byte[] value = this.value;
>> 415 if (isLatin1()) {
>> 416 if ((count << coder) < value.length) {
>> 417 return StringLatin1.newString(value, 0, count);
>> 418 }
>> 419 shared = true;
>> 420 return new String(value, String.LATIN1);
>> 421 }
>> 422 return StringUTF16.newStringSB(value, 0, count);
>> 423 }
>>
>>
>> 927 public AbstractStringBuilder replace(int start, int end, String
>> str) {
>> 928 if (end > count) {
>> 929 end = count;
>> 930 }
>> 931 checkRangeSIOOBE(start, end, count);
>> 932 int len = str.length();
>> 933 int newCount = count + len - (end - start);
>> 934 ensureCapacityInternal(newCount);
>> 935 unshareValue();
>> 936 shift(end, newCount - count);
>> 937 count = newCount;
>> 938 putStringAt(start, str);
>> 939 return this;
>> 940 }
>>
>>
>> For example:
>>
>> static final StringBuilder sb = new StringBuilder(3).append("abc");
>>
>> Thread 1:
>>
>> String s = sb.toString();
>> System.out.println(s);
>>
>> Thread 2:
>>
>> sb.replace(0, 3, "def");
>>
>>
>> Question: What can Thread 1 print?
>>
>> Thread 1 sets shared = true and shares value array with String, but when
>> Thread 2 executes replace, it may not yet notice the write from Thread 1
>> and may not do anything in unshareValue(), effectively overwriting the
>> shared array with "def".
>>
>> Answer: I think anything of the following:
>>
>> abc
>>
>> dbc
>> aec
>> abf
>>
>> dec
>> dbf
>> aef
>>
>> def
>>
>> ...and the answer may change over time. Now imagine handing over such
>> string to new FileInputStream()...
>>
>>
>> Regards, Peter
>>
>>
>>
>>> This variant showed a significant speed improvement for the cases, when
>>> the the capacity is equal to the result's size (up to +25% to throughput).
>>> For the other cases, the difference isn't very clear based on my
>>> benchmarks :)
>>> But is seems to be small enough, as it only adds a few comparisons,
>>> coupled with already relatively heavy operations, like allocation and
>>> copying.
>>>
>>> Here's the benchmark that I've used:
>>>
>>> http://cr.openjdk.java.net/~igerasim/XXXXXXX-ASB-shared-value/MyBenchmark.java
>>>
>>> And the corresponding graphs.
>>>
>>> http://cr.openjdk.java.net/~igerasim/XXXXXXX-ASB-shared-value/ASB-Shared-bench-test15.png
>>>
>>> http://cr.openjdk.java.net/~igerasim/XXXXXXX-ASB-shared-value/ASB-Shared-bench-test17.png
>>> The blue line here stands for the baseline throughput.
>>>
>>> If people agree, this is a useful addition, a test should also be added,
>>> of course.
>>>
>>> Sincerely yours,
>>> Ivan
>>>
>>>
>>
>
More information about the core-libs-dev
mailing list