[Cryptography] [FORGED] Re: How programming language design can help us write secure crypto code

Jerry Leichter leichter at lrw.com
Fri Oct 30 19:52:35 EDT 2015


> I think that the possibility of pointers being null
> is not wrong.  *WILD* pointers, at storage that has
> been deallocated or, worse, reallocated for something
> else, are an abomination, but null pointers are a
> simple and useful thing.
> 
> To me a null pointer is a semantically valid entity
> meaning "value not yet determined" or "no such value
> is possible" or "the structure had no data matching
> the criteria you searched for," etc.  If you didn't
> use null for that, you'd still need a way to express
> it.
This is a nice theory, but in practice, probably the most common cause of failures of Java programs "in the wild" is an NPE (NullPointerException).

The fact is, in most cases you don't need or want to represent the fact that some reference "isn't determined".  Interfaces that return a reference to an object, or a null if the object isn't there, can be written not to do that, eliminating all the pieces of code that *know for certain* that the object they looked for is there, so they don't even bother to check for null - and promptly die.

Yes, there are uses for null; and there are also alternative ways to represent the fact that some value may not be there, which force the programmer to be aware of, and somehow deal with, that fact.  (You can compare this to returning an error code or special value on failure - which every caller must explicitly check for - to throwing an exception, which a caller must explicitly catch or his program will die at that point.)

Strong type systems ensure that the data you have supports some set of operations.  Allowing null in says "well, the type system says the operation can be invoked, but there's the run-time special case you have to watch out for".

If you haven't tried programming with "not null" as a checked part of the type system ... you should.  You'll be surprised how much it clarifies the code and makes it safer.  (It's akin to maintaining const-correctness in C++.)

                                                        -- Jerry



More information about the cryptography mailing list