Create a mutable java.lang.String

2020-01-25 12:59发布

问题:

It's common knowledge that Java Strings are immutable. Immutable Strings are great addition to java since its inception. Immutability allows fast access and a lot of optimizations, significantly less error-prone compared to C-style strings, and helps enforce the security model.

It's possible to create a mutable one without using hacks, namely

  • java.lang.reflect
  • sun.misc.Unsafe
  • Classes in bootstrap classloader
  • JNI (or JNA as it requires JNI)

But is it possible in just plain Java, so that the string can be modified at any time? The question is How?

回答1:

Creating a java.lang.String with the Charset constructor, one can inject your own Charset, which brings your own CharsetDecoder. The CharsetDecoder gets a reference to a CharBuffer object in the decodeLoop method. The CharBuffer wraps the char[] of the original String object. Since the CharsetDecoder has a reference to it, you can change the underlying char[] using the CharBuffer, thus you have a mutable String.

public class MutableStringTest {


    // http://stackoverflow.com/questions/11146255/how-to-create-mutable-java-lang-string#11146288
    @Test
    public void testMutableString() throws Exception {
        final String s = createModifiableString();
        System.out.println(s);
        modify(s);
        System.out.println(s);
    }

    private final AtomicReference<CharBuffer> cbRef = new AtomicReference<CharBuffer>();
    private String createModifiableString() {
        Charset charset = new Charset("foo", null) {
            @Override
            public boolean contains(Charset cs) {
                return false;
            }

            @Override
            public CharsetDecoder newDecoder() {
                CharsetDecoder cd = new CharsetDecoder(this, 1.0f, 1.0f) {
                    @Override
                    protected CoderResult decodeLoop(ByteBuffer in, CharBuffer out) {
                        cbRef.set(out);
                        while(in.remaining()>0) {
                            out.append((char)in.get());
                        }
                        return CoderResult.UNDERFLOW;
                    }
                };
                return cd;
            }

            @Override
            public CharsetEncoder newEncoder() {
                return null;
            }
        };
        return new String("abc".getBytes(), charset);
    }
    private void modify(String s) {
        CharBuffer charBuffer = cbRef.get();
        charBuffer.position(0);
        charBuffer.put("xyz");
    }

}

Running the code prints

abc
zzz

I don't know how to correctly implement decodeLoop(), but i don't care right now :)



回答2:

The question received a good answer by @mhaller. I'd say the so-called-puzzle was pretty easy and by just looking at the available c-tors of String one should be able to find out the how part, a

Walkthrough

C-tor of interest is below, if you are to break-in/crack/look for security vulnerability always look for non-final arbitrary classes. The case here is java.nio.charset.Charset


//String
public String(byte bytes[], int offset, int length, Charset charset) {
    if (charset == null)
        throw new NullPointerException("charset");
    checkBounds(bytes, offset, length);
    char[] v = StringCoding.decode(charset, bytes, offset, length);
    this.offset = 0;
    this.count = v.length;
    this.value = v;
}
The c-tor offers supposedly-fast way to convert byte[] to String by passing the Charset not the chartset name to avoid the lookup chartsetName->charset. It also allows passing an arbitrary Charset object to create String. Charset main routing converts the content of java.nio.ByteBuffer to CharBuffer. The CharBuffer may hold a reference to char[] and it's available via array(), also the CharBuffer is fully modifiable.


    //StringCoding
    static char[] decode(Charset cs, byte[] ba, int off, int len) {
        StringDecoder sd = new StringDecoder(cs, cs.name());
        byte[] b = Arrays.copyOf(ba, ba.length);
        return sd.decode(b, off, len);
    }

    //StringDecoder
    char[] decode(byte[] ba, int off, int len) {
        int en = scale(len, cd.maxCharsPerByte());
        char[] ca = new char[en];
        if (len == 0)
            return ca;
        cd.reset();
        ByteBuffer bb = ByteBuffer.wrap(ba, off, len);
        CharBuffer cb = CharBuffer.wrap(ca);
        try {
            CoderResult cr = cd.decode(bb, cb, true);
            if (!cr.isUnderflow())
                cr.throwException();
            cr = cd.flush(cb);
            if (!cr.isUnderflow())
                cr.throwException();
        } catch (CharacterCodingException x) {
            // Substitution is always enabled,
            // so this shouldn't happen
            throw new Error(x);
        }
        return safeTrim(ca, cb.position(), cs);
    }

In order to prevent altering the char[] the java developers copy the array much like any other String construction (for instance public String(char value[])). However there is an exception - if no SecurityManager is installed, the char[] is not copied.

    //Trim the given char array to the given length
    //
    private static char[] safeTrim(char[] ca, int len, Charset cs) {
        if (len == ca.length 
                && (System.getSecurityManager() == null
                || cs.getClass().getClassLoader0() == null))
            return ca;
        else
            return Arrays.copyOf(ca, len);
    }

So if there is no SecurityManager it's absolutely possible to have a modifiable CharBuffer/char[] that's being referenced by a String.

Everything looks fine by now - except the byte[] is also copied (the bold above). This is where java developers went lazy and massively wrong.

The copy is necessary to prevent the rogue Charset (example above) to be able alter the source byte[]. However, imagine the case of having around 512KB byte[] buffer that contains few String. Attempting to create a single small, few charts - new String(buf, position, position+32,charset) resulting in massive 512KB byte[] copy. If the buffer were 1KB or so, the impact will never be truly noticed. With large buffers, the performance hit is really huge, though. The simple fix would be to copy the relevant part.

...or well the designers of java.nio thought about by introducing read-only Buffers. Simply calling ByteBuffer.asReadOnlyBuffer() would have been enough (if the Charset.getClassLoader()!=null)* Sometimes even the guys working on java.lang can get it totally wrong.

*Class.getClassLoader() returns null for bootstrap classes, i.e. the ones coming with the JVM itself.



回答3:

I would say StringBuilder (or StringBuffer for multithreaded use). Yes at the end you get a immutable String. But that's the way to go.

For example the best way to append Strings in a loop is to use StringBuilder. Java itself uses StringBuilder when you use "fu " + variable + " ba".

http://docs.oracle.com/javase/6/docs/api/java/lang/StringBuilder.html

append(blub).append(5).appen("dfgdfg").toString();



回答4:

// How to achieve String Mutability

import java.lang.reflect.Field; 

public class MutableString {

    public static void main(String[] args) { 
        String s = "Hello"; 

        mutate(s);
        System.out.println(s); 

    } 

    public static void mutate(String s) {
        try {

            String t = "Hello world";
            Field val = String.class.getDeclaredField("value"); 
            Field count = String.class.getDeclaredField("count"); 
            val.setAccessible(true); 
            count.setAccessible(true); 

            count.setInt (s, t.length ());
            val.set (s, val.get(t));
        } 
        catch (Exception e) { e.printStackTrace(); }
    } 

}


回答5:

Don't reinvent the wheel. Apache commons provides just that.

MutableObject<String> mutableString = new MutableObject<>();


回答6:

Simplier way to swap bootstrap class path of java and javac

1) Go to jdk installation and copy to separate folder rt.jar and src.zip

2) Unpack String.java from sources zip and change it private field value of inner char array to public

public final class String
    implements java.io.Serializable, Comparable<String>, CharSequence {
    /** The value is used for character storage. */
    public final char value[];

3) Compile modified String.java with help of javac:

javac String.java

4) Move compiled String.class and other compiled classes to rt.jar in this directory

5) Create test class that use String private field

package exp;

    class MutableStringExp { 

        public static void main(String[] args) {
            String letter = "A";
            System.out.println(letter);
            letter.value[0] = 'X';
            System.out.println(letter);
        }
    }

6) Create empty dir target and compile test class

javac -Xbootclasspath:rt.jar -d target MutableStringExp.java

7) Run it

java -Xbootclasspath:rt.jar -cp "target" exp.MutableStringExp

output is:

A
X

P.S this will only work with modified rt.jar and use this option to override rt.jar is violation of jre licence.