Fire in the type hole Why you shouldn’t trust a Java compiler in everything

Heejong Lee (@heejongl)

– Mr. Unknown Java Compiler

“Do you trust me?”

Computer Science

[Tool]

The Study of Programming Languages

[Method]

The Study of Algorithm

• Reliable safety net for programming systems

• Statically verifying that something wrong will not happen in the runtime

• Blazingly fast

A great step forward to the better world :Type System

Type Systems

Type System

Safe programs Unsafe programs

Typed programs

• Verified by a type system implies a program will never violate the rule that the type system defines

• Failed by a type system does not implies a program will violate the rule that the type system defines

• Possibly, there exists a program which is safe but a type system cannot verify its safety

Type System

Type System

1

Type System

1:int

Type System

1:int + “hello”

Type System

1:int + “hello”:string

Type System

1:int + “hello”:string

May cause segmentation fault, exception, unexpected behavior in some languages

Type System

(1:int + “hello”:string):string

In Java, 1 will be automatically converted to string

Type System

(1:int + “hello”:string):int

Or, error: incompatible types: String cannot be converted to int

Type System

String foo(int x) { int y = 10 + x;

return y.toString(); }

void bar() { foo(10); }

foo : int -> string

= +

toString

bar : unit -> unit

foo( )

“…Really?”

One value to rule types all

• The most catastrophic design decision ever made

• Tony Hoare introduced Null references in ALGOL W back in 1965 “simply because it was so easy to implement”

• Can be an any type, ultimately unarm the Java type system

Null

foo : string -> string

bar : unit -> unit

foo( )

Type System

String foo(String x) { return x.toUpperCase();

}

void bar() { String s = null; foo(s); }

toUpperCase

foo : string -> string

bar : unit -> unit

foo( )

Type System

String foo(String x) { return x.toUpperCase();

}

void bar() { String s = null; foo(s); }

toUpperCase

• Impossible in general

• However, recent programming languages introduce a typed null : Option[T] in Scala, Optional<T> in Java8

How could we survive Null attacks

Null Checking Idioms

String x = getString(); String y = null; if(x != null) { y = x.toUpperCase(); } else { y = “none”; }

val x = Option(getString()) val y = x.map{_.toUpperCase}. getOrElse(“none”)

Java 7- Scala

Null Checking Idioms

String x = getString(); String y = x.toUpperCase();

val x = Option(getString()) val y = x.toUpperCase

Java 7- Scala

Okay until it actually runs Compilation error

• Use static analyzers. Not perfect but practical enough

• Do not use null at all. Define empty values. Use alternative languages such as Scala

Possible Solutions for Null

Game is not over yet

Long time ago in the Java type system,

Java Array and Type Variance

String[] strings = new String[10]; Object[] objects = strings; objects[0] = 0;

Compiled well but throw exception in a runtime

Why?

Type Variance

Set[Dog] <: Set[Animal] ?

Assume Dog is a subclass of Animal

Could a set of Dog be a subclass of a set of Animal?

Dog <: Animal

Type Variance

Set[Dog] <: Set[Animal]

Assume Dog is a subclass of Animal

If Set is covariant

Dog <: Animal

If Set is contravariant

Set[Animal] <: Set[Dog]

Type Variance in Action

Assume Dog <: Animal, Rose <: Flower

Animal RoseDog Flower

We can use a function Animal -> Rose as if it were a function Dog -> Flower

Type Variance in Action

Assume Dog <: Animal, Rose <: Flower

Animal RoseDog Flower

val foo : Animal => Rose = { x => …} val bar : Dog => Flower = foo

Type Variance in Action

Assume Dog <: Animal, Rose <: Flower

Animal RoseDog Flower

val foo : Function1[Animal,Rose] = { x => …} val bar : Function1[Dog,Flower] = foo

trait Function1[-T,+R]

Java Array Revisited

String[] strings = new String[10]; Object[] objects = strings; objects[0] = 0;

Java Array is covariant which means

Reading from Java Array is always safe

Writing to Java Array is not always safe

Type Variance Revisited

Variance Explanation Reading Writing

Set[E] Invariance

Set[Animal] should be Set[Animal] Set[Dog] should be Set[Dog] Safe Safe

Set[+E] Covariance

Set[Animal] can be Set[Dog] Set[Dog] should be Set[Dog] Safe Unsafe

Set[-E] Contravariance

Set[Animal] should be Set[Animal] Set[Dog] can be Set[Animal] Unsafe Safe

Assume Dog is a subclass of Animal

• Use generics. Avoid raw types. Avoid arrays

• Use alternative type-safe languages such as Scala

Possible Solutions for Java Type Holes

Deus ex machina

Just use Scala

http://scala-lang.org