Re: JavaMemoryModel: Relaxing formalization of "causal loop" safety

From: Bill Pugh (pugh@cs.umd.edu)
Date: Tue Jul 16 2002 - 21:01:09 EDT


At 11:08 AM -0700 7/15/02, Paul Jakubik wrote:
>After reading the proposal I have a question. Why does the
>memory model have to specify some sort of reasonable behavior
>for incorrectly synchronized programs? Why can't surprising
>things happen when there isn't synchronization or some form of
>memory barrier?

You must define some semantics for incorrectly synchronized programs.
A program without semantics is like a program with a buffer overrun.
You need to be able to make safety guarantees about incorrectly
synchronized programs. This is particularly an issue in Java because
you often want to execute code that isn't fully trusted. An attacker
could deliberately introduce synchronization errors in order to force
the program into a mode where security guarantees were violated.

This isn't saying that we encourage incorrect synchronization or make
it convenient to design effective software that uses incorrect
synchronization. Just that the semantics must be defined, and they
must enforce some safety guarantees (e.g., incorrectly synchronized
programs are still type safe).

Bill
-------------------------------
JavaMemoryModel mailing list - http://www.cs.umd.edu/~pugh/java/memoryModel



This archive was generated by hypermail 2b29 : Thu Oct 13 2005 - 07:00:40 EDT