But I noticed a trend that many companies and open source projects are migrating into TypeScript. Is it worth to use static type checkers on personal projects? Or just use a data validator like Joi for the sake truly runtime safety? Basically not much! Most type-safe languages include some form of dynamic type checking, even if they also have a static type checker.
The reason for this is that many useful features or properties are difficult or impossible to verify statically. Currently we have some income solutions to write safer JavaScript by using JavaScript object validators to check at runtime or static type checkers which allow you to annotate types but get stripped at compile-time. JavaScript data validators are just small, simple, intuitive, and standalone libraries which allow you to describe what shape of data you want using pure JavaScript.
These validators are extremely useful when writing JavaScript in servers to validate dynamic data from users at runtime. React provides an internal mechanism for adding type checking to components. React components use a special property named propTypes to set up type checking.
Class to represent types in J. For any such object o , cl o stands for the loader object that created o i. We say that cl o defines o.
The constant pool of o , cp o , is the constant pool of the class file that was used by cl o to create o. Over the course of execution of J , a loader l may be presented with requests by the JVM to load a class, emanating from its desire to do constant resolution.
The JVM guarantees that, as part of constant resolution, for any name n , it will call l at most once to load a class with name n. Thus at any given instant in the execution of J , l will have responded to some finite set of requests, by either returning a valid class object, or refusing to define a class object. A loader l may also have refused to terminate on some request, but since we are only concerned with safety properties, we shall ignore that possibility.
We shall model this by associating with l a mapping m: m l from the set dom l of names in the domain of l to class objects. A name n is said to be foreign for l if n is in dom l and cl m l n is different from l. Definition[a refers to b ] Let a and b be two class objects in J. Say that a refers to b if n b occurs in a's constant pool, and m cl a n b is defined and equals b. That is, a refers to b if the code for a refers to the name of b , and the name of b is resolved by the loader for a into b.
Definition[Bridge-safe] A JVM J is bridge-safe if at no time during its execution and for any input during its execution may a bridge come into existence. Let us develop some general conditions on class loaders that will be necessary and sufficient to prevent such bridges from coming into existence.
Definition[Isolating foreigners] A loader l isolates foreigners if for every name n foreign for l every class name q in the constantpool of m l n and in the domain of l and cl m l n is foreign for l. In the example discussed earlier, no instance of DelegationLoader isolates foreigners, since the name R occurring in the constantpool of a foreign name, RR , is not foreign. Let J be a JVM. J is bridge-safe iff every class loader that can come into existence during its execution isolates foreigners.
Informal proof. Suppose a bridge r, a', s, a exists. Then, n s is a foreigner for cl r. Assume cl r isolates foreigners. Then n a is foreign for cl r. In the other direction assume there is a loader l that does not isolate foreigners.
Let n be a name foreign to l , and name q be in the constant pool of m l n , and q be not foreign to l. Construct a class r in l that refers to n and q.
Then each of r , m l q , m l n , m cl m l n q exists, and taken together constitute a bridge. End of proof. In general, proving for any arbitrary class loader that it is bridge-safe may be very difficult -- there may not be enough data available, e. However, some general strategies can be followed for designing loaders that isolate foreigners. For instance, a loader constructed as follows will always isolate foreigners: It divides its domain into two disjoint parts, the "core" domain, cdom l and the "user" domain, udom l.
All and only the names in the core domain are foreign. Now any such l will isolate foreigners provided that it is the case that for every n in the core domain of l , cp m l n is a subset of cdom l. Again, in general there may not be enough data available to make this decision but in practice, one would write the "core classes" the union, across all l , of the sets obtained by mapping m l across cdom l in such a way that they only reference core classes.
Under such a design practice, the loaders would isolate foreigners. Note however, that each time a new class was added to the core, one would have to verify that it references only core classes.
From the informal description of the classloaders given in HotJava , it appears that they are written using this methodology. Thus, a user may never be unconditionally certain that a particular HotJava browser running on his desktop is bridge-safe but he may be certain under the reasonable assumption that the core classes already on his disk and any other core class to be added later satisfy the property that they only reference core classes.
Before leaving this topic, I want to point out that another way of causing type-spoofing, apparently described earlier by David Hopgood, does not work. I should say "does not work anymore". Given that a "direct" bridge is not possible for loaders that isolate foreigners, one may try instead to construct an indirect bridge as follows.
Consider s and r , such that cl s is distinct from cl r. Find an intermediary class i , such that cl i is distinct from cl s and cl r. Thus i is foreign to both s and r. Pick a name q in the domain of cl s and cl r. Define a in cl s to inherit from the type associated with i , and a' in cl r to inherit from i. Now communicate from s an instance of q typecast to i , receive it at r at type i , coerce it to type q , and use it to spoof. For instance, concretely, two applets S and R may work in tandem to launch this attack.
Both will be loaded into their own loaders. Both define a type, say RStream to extend java. InputStream , intending to use java.
When the user visits the page containing the applet R , R reads System. The attack fails because the explicit cast at the receiving end generates a ClassCastException [Lindholm P. So the checkcast JVM instruction checks the "run-time type" as it should. Why does type-spoofing work? What is happening in the JVM? On an abstract note, the heart of the problem lies in the somewhat different views of "types" taken by the Java compiler and the Java Virtual Machine.
The reality in the JVM is that multiple class files with the same name and arbitrarily different fields and methods can be simultaneously loaded into different classloaders. Therefore, a type should be a pair FQN, CL of a name and the classloader in which the corresponding class was loaded. Primitive types can be considered to be identical across all classloaders. Though this is stated explicitly in [Lindholm P. If a type is to be thought of as the pair FQN, CL , then the huge problem arises of how to make sense of [Gosling 96]!
Throughout the book, a type is talked of as if it is an FQN. It appears that [Gosling 96] intends different interpretations in different places. The standard class Object is a superclass Sec 8. A variable of type Object can hold a reference to any object, whether it is an instance of a class or an array Sec Which type Class?
Current scope or base? Experimentally I have verified that in JDK 1. It seems to me that the designers intended current scope for "user-defined" classes and this is how the JVM is designed. Clearly, the notion of multiple classloaders does not make sense otherwise. You want the classnames in the applet code loaded to refer to the classes loaded into the same loader. However it seems that base scope is intended for some predefined "system" classes this notion is not explicitly defined in the book, but implicitly referred to such as java.
Class and java. In the interests of cleanliness of system design it seems to me that current scope should be adopted uniformly. One very attractive property of such a proposal would be that it would allow different object systems, with very different behaviors to be implemented very easily within Java merely by changing the basic classes loaded into a given loader! This confusion in thinking leads to the problem highlighted in this paper. To see how, let us turn to an analysis of how Java links and runs code.
To support dynamic linking, the class file corresponding to a Java source file retains in its constant pool the symbolic FQNs of the classes, interfaces, fields, methods and their typenames in its byte-code.
For instance, a method invocation on an object is associated in the class file with the name of the method being invoked, the name of the class containing the declaration of the method, and the descriptor of the method, which captures the name and sequence of the argument typenames and the return typenames of the method. At run-time operations involving these symbolic references are converted into operations involving actual offsets into field and method-tables through a process known as constant pool resolution CPR [Lindholm Chapter 5].
Footnote: The opcodes which can initiate CPR activity are: getfield , getstatic getting the value of instance and static fields ; putfield , putstatic and aastore setting the value of instance and static fields, and entries in an array ; and invokeinterface , invokespecial , invokestatic invoking constructors and methods. Now consider what happens at run-time when a method m on class c , with descriptor d is invoked on object o using the invokevirtual instruction, [Lindholm P].
The associated class loader is asked to load the class c. This may involve, recursively, the loading of other classes, e. Footnote: Note that the code loaded by the class loader in response to this request may have no relationship with the code used by the compiler to compile this class.
No "compiled-with" information is stored by the compiler in the class file for use at link-time. Once that is accomplished, d is matched against the descriptors of methods defined in the just loaded class this is called resolving the method [Lindholm 97, p].
If the referenced method does not exist in the specified class or interface, field resolution throws a NoSuchMethodError. From the description it is not completely clear how it is determined that the referenced method does not exist in the specified class or interface.
The most natural assumption seems to be that two methods are considered "equal" if they are name-equivalent , i. An exception is thrown if there is no such method.
The result of resolving is an index i into a method table. Note that this entire process involves classes loaded by the current class loader.
These classes are supposed to be the runtime equivalents of the classes used by the compiler when creating the class file, so this process is analogous to what a compiler would have done in a statically-linked language: identify the layout of the class on which a method is being invoked, and determine the offset of the method in it.
Note that:. No "run-time" information e. Now that this offset has been determined, it is assumed that this is a valid offset in the method table of the actual run-time class of the object. The method description assumed to be at that offset is then executed [Lindholm 97, p]. The constant pool entry representing the resolved method includes an unsigned index into the method table of the resolved class and an unsigned byte nargs that must not be zero.
In the context of static compile-time type systems, type safety usually involves among other things a guarantee that the eventual value of any expression will be a legitimate member of that expression's static type. The precise requirement is more subtle than this — see, for example, subtype and polymorphism for complications.
Type safety is closely linked to memory safety , a restriction on the ability to copy arbitrary bit patterns from one memory location to another. Conversely, if the language is type-unsafe to the extent of allowing an arbitrary integer to be used as a pointer , then it is not memory-safe.
Most statically typed languages provide a degree of type safety that is strictly stronger than memory safety, because their type systems enforce the proper use of abstract data types defined by programmers even when this is not strictly necessary for memory safety or for the prevention of any kind of catastrophic failure. Jump to: navigation , search. Context: It can typically be a Statically-Typed Language.
0コメント