Putting on my extremist hat, here's my response:
You correctly state that the attack only works for "trusted immutable
classes" (e.g., String). We agree that the current String implementation
would not withstand such an attack under a weak memory model. You say
(roughly speaking) "we could add one or two hideous access modifiers that
ordinary programmers won't understand, or change the semantics of current
modifiers, so experts will be able to write secure immutable classes."
While I believe that this approach could perhaps be made to work, it
contradicts the spirit of Java. Java is supposed to be a simple,
straightforward language -- "a working man's language" in James Gosling's
words. "Naive" immutable classes should just work.
While we might be able to cover our own posteriors by doing a thorough
audit of the JRE libraries, that doesn't help library developers who write
their own immutable classes. This is not at all uncommon. In fact, it's
one of the best design patterns around, and its use appears (thankfully) to
be on the rise. It would be really depressing to turn around and say:
"Immutables really are great, but they're also a lot harder to write
correctly that we thought they were."
This is the JavaMemoryModel mailing list, managed by Majordomo 1.94.4.
To send a message to the list, email JavaMemoryModel@cs.umd.edu
To send a request to the list, email email@example.com and put
your request in the body of the message (use the request "help" for help).
For more information, visit http://www.cs.umd.edu/~pugh/java/memoryModel
This archive was generated by hypermail 2b29 : Thu Oct 13 2005 - 07:00:17 EDT