Semantics of final fields in java
Vladimir Sitnikov, Valentin Kovalenko
sitnikov@netcracker.com, @VladimirSitnikv
NetCracker
September 2014

Introduction
Examples
2 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Why final is required in
JMM?
3 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String safety
String s = ...
if ( checkAccess (s)) {
return readFile (s);
}
Is this a valid security check?
4 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String unsafety in 1.4
String s = ...
if ( checkAccess (s)) {
return readFile (s);
}
The answer depends on the java version, and in java 1.4 the code is
insecure
5 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String unsafety in 1.4
String s = GLOBAL ;
if ( checkAccess (s)) {
return readFile (s);
}
HackThread
GLOBAL =
"/tmp/ etc / passwd "
. substring (4);
For instance: HackThread executes .substring(4) and transfers it
via data race to the checker thread
6 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String unsafety in 1.4
String s = GLOBAL ;
if ( checkAccess (s)) {
return readFile (s);
}
HackThread
GLOBAL =
"/tmp/ etc / passwd "
. substring (4);
In java 1.4 result of substring references the same char array, and
the value depends on String#offset and String#size
7 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String unsafety in 1.4
String s = GLOBAL ;
if ( checkAccess (s)) {
return readFile (s);
}
HackThread
GLOBAL =
"/tmp/ etc / passwd "
. substring (4);
race
race
Since no synchronization is in place, reader might observe
not-fully-initialized String
8 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String unsafety in 1.4
String s = GLOBAL ;
if ( checkAccess (s)) {
return readFile (s);
}
HackThread
GLOBAL =
"/tmp/ etc / passwd "
. substring (4);
race
race
checkAccess might observe "/tmp/etc/passwd", and even then
readFile might observe "/etc/passwd"
9 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String unsafety in 1.4
String s = GLOBAL ;
if ( checkAccess (s)) {
return readFile (s);
}
HackThread
GLOBAL =
"/tmp/ etc / passwd "
. substring (4);
race
race
checkAccess might observe "/tmp/etc/passwd", and even then
readFile might observe "/etc/passwd"
Even synchronization on s and volatile will not help!
10 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

String safety in java 1.5+
String s = GLOBAL ;
if ( checkAccess (s)) {
return readFile (s);
}
HackThread
GLOBAL =
"/tmp/ etc / passwd "
. substring (4);
hb
hb
In java 1.5+ final protects from such non-initialized objects from
HackThread
11 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Çà÷åì íàì JMM?
12 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Quiz
int x = 1;
public int neverTryThisAtHome () {
int i = this .x; // it is 1, isn ’t it?
this . setX (2); // just updates x to 2
return this .x - i; // 2 - 1 == ...?
}
What is the result? 1? 0? -1?
13 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Quiz
int x = 1;
public int neverTryThisAtHome () {
int i = this .x; // it is 1, isn ’t it?
this . setX (2); // just updates x to 2
return this .x - i; // 2 - 1 == ...?
}
OK, the result is 1
14 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Quiz
final int x = 1;
public int neverTryThisAtHome () {
int i = this .x; // it is 1, isn ’t it?
this . setX (2); // just updates x to 2
return this .x - i; // 2 - 1 == ...?
}
Let’s add some final
15 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Quiz
final int x = 1;
public int neverTryThisAtHome () {
int i = this .x; // it is 1, isn ’t it?
this . setX (2); // just updates x to 2
return this .x - i; // 2 - 1 == ...?
}
The specification allows all the cases: 1, 0, and even -1! (see also
example 17.5.3-1)
16 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

A bit of theory
17 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Program order
I Program order is a total order among inter-thread actions of
each thread in source code order
18 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Program order
I Program order is a total order among inter-thread actions of
each thread in source code order
I Compiler is forbidden to reorder/alter/ignore operations if
observable behavior violates program order
19 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Program order
I Program order is a total order among inter-thread actions of
each thread in source code order
I Compiler is forbidden to reorder/alter/ignore operations if
observable behavior violates program order
I It does not mean the program is executed in program order
20 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Program order
I Program order is a total order among inter-thread actions of
each thread in source code order
I Compiler is forbidden to reorder/alter/ignore operations if
observable behavior violates program order
I It does not mean the program is executed in program order
I For instance: program order is not defined for operations on
local variables
21 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Partial order
I In section 17 JLS "partial order" is mentioned 8 times
22 / 104 (c) Copyright 2014, NetCracker Technology Corp. All rights reserved

Partial order
I In section 17 JLS "partial order" is mentioned 8 times
I Partial order is hb