Skip to main content

Ready Steady Go

Posted by editor on October 31, 2005 at 7:11 AM PST

Take a crack at Mustang's bytecode verifier

Your first hint that today's first announcement is a big deal: just eight hours after it went public, and 90 minutes after it was on the front page, the Crack The Verifier initiative got Slashdotted.

Crack The Verifier comes from the J2SE team, which has been dropping weekly builds of Mustang for public review and consumption. Now it's time to expose the new bytecode verifier to public view. As the CTV page explains, "the new Mustang JDK includes a new approach to verification called the Type Checking Verifier that includes a performance optimization breakthrough. But the bytecode verifier is at the heart of Java security, so a new implementation needs a very strenuous review and analysis." You can learn more about the ideas behind the new verifier at What is the Type Checking Verifier? And if you're interested in seeing if this approach is really up to snuff, you can apply your attacking skills in Crack the Verifier - Challenge to see if you can find any holes.

But, you might be asking, why is the heart and soul of Java being thrown to the wolves in such a manner? Graham Hamilton talks about the motivations behind CTV in his blog entry Help Crack The Java Verifier:

As part of Mustang we will be delivering a whole new classfile verifier implementation based on an entirely new verification approach. The classfile verifier is the very heart of the whole Java sandbox model, so replacing both the implementation and the basic verification model is a Really Big Deal. See Gilad Bracha's blog for an overview of the new verifier plus links to the spec. The new verifier is faster and smaller than the classic verifier, but at the same time it doesn't have the ten years of reassuring shakedown history that we have with the classic verifier.

The new verifier led us to an interesting test of our new development philosophy. Should we delay exposing the new verifier for as long as possible? Or should we push it out, advertise it, and ask for the community's help in reviewing it? Well, I will confess that many of us had an initial fit of the heebie-jeebies about publishing the source code for the new verifier. "But what if someone finds an ugly security hole?" Gasp!

But that question does kind of answer itself, doesn't it? If someone spots a problem we can fix it and we can fix it before we finalize the release. Happiness!

We think the new verifier model is sound and we are taking various steps to review the actual implementation code. But the more eyes that can look at this before it goes into production use, the better.

Now, did I say that CTV was today's first announcement? There's more for this Monday. In this week's Spotlight, we feature the Planning JavaOne 2006 Forum, which offers an opportunity for members to suggest the content and direction of the JavaOne 2006 conference. There are separate discussions for each of the major tracks (which may be used as the categories in the Call For Papers): Web Tier, Tools, Core Enterprise, Desktop, Core Platform, Mobile and Embedded Devices, and Cool Stuff. A Grab Bag discussion offers an opportunity to post other ideas for JavaOne that don't fit into one particular track.

Kicking off one of the JavaOne 2006 track discussions, the welcome message for the
Cool Stuff discussion says:
"Please post your thoughts and ideas for the Cool Stuff [track at JavaOne 2006] here. This is a tough one to "keyword". The track's charter is very broad, and virtually any interesting work qualifies for a session. Past topics (Keywords?) included, robotic arm control, scripting languages , an interactive music game device, server APIs for mobile services, platform extensions for debugging and enhanced scalability, the latest in Remote Method Invocation (RMI), JiniTM network technology, aspect-oriented programming, Grid computing..."

Elsewhere in the Forums, cbutterfield discusses an interesting GUI edge case in
SplashScreen: request ability to set location (2nd try):
"The new SplashScreen capability addresses a real need. For my application, one more feature would be very helpful -- the ability to control the splash screen location. The current behavior is (presumably) fine for desktop apps. In my application, (involving an embedded processor) the end-user sees only the upper left quadrant of the nominal full screen (because only that portion is displayed on their reduced size wrist-worn or heads-up display). During normal operations, we maintain the application windows in the viewable (upper left) portion of the full screen. It would be nice to be able to move the splash screen to that same area."

Here's a bit of forward-looking Forum news: on Wednesday, we'll be re-launching our Book Club forum, with an extended discussion and analysis of Bruce Tate's thought-provoking and controversial Beyond Java. If you want to read ahead to be ready for the discussion, but you don't have the book, you can check it out as part of the Safari Bookshelf, our online book service, which also offers a 14-day free trial.

Also in Projects and
are you interested in using the NetBeans IDE to develop applications for the JBoss application server? The article Using NetBeans with the JBoss Getting Started Guide will show you how - it is intended as a comparison to this online JBoss document Getting Started with JBoss 4.0. Using an existing JBoss application it shows how to create a project and then use the IDE to browse, build, deploy, and debug.

Santiago Pericas-Geertsen writes about Fast Infoset in the Real World in today's Weblogs:
"It usually takes times for new ideas and technologies to be adopted by the industry. However, Fast Infoset (FI), a binary encoding for the XML infoset, is growing very quickly. A good example of this is a recently founded company, Inversoft, which has developed an XML-based protocol and is using FI as a space/time efficient encoding."

Andreas Schaefer offers praise for openness in
Sun lets you Scratch the Itch in the JDK 1.6:
"After complaining about shortcomings in the Java JDK for some time I took the opportunity to actually try to fix one of the problems is encountered and send a patch to Sun. Looking back I have to give kudos to Sun how relatively easy it is to become a contributor and that they really want to keep the developers in the loop not like in the "good old" days where submitting a bug report meant that I just disappeared in a black hole and if you were lucky it reappeared later."

'Close' icons on a JTabbedPane w/o UI interference, Joerg Plewe writes:
"Many apps require a 'close' icon on a tab of a JTabbedPane. Most solutions require manipulation of the L&F classes. There is another option that works without interference with the UI using proactive icons."

In Also in
Java Today

AJAX offers a richer experience in the browser, but it also works against the browser in sometimes uncomfortable ways. In particular, AJAX applications typically run within a single page and don't withstand forward/back navigation particularly well. Brad Neuberg provides an answer in AJAX: How to Handle Bookmarks and Back Buttons, offering a "Really Simple History" framework based on two clever principles: "First, a hidden HTML form is used to allow for a large transient session cache of client-side information; this cache is robust against navigation to and away from the page. Second, a combination of hyperlink anchors and hidden iframes is used to intercept and record browser history events, tying into the back and forward buttons."

"While the multi-line selectbox typically provides a better look and feel when the choices are limited, a group of checkboxes is the better choice for any enterprise application where selection boxes must be rendered dynamically and contain preselection functionality. Fortunately, creating a group of dynamic checkboxes is easy to do with the Struts framework." In Dynamic checkboxes with Struts, Danilo Gurovich shows how to use two important Struts tags to make it work.

In today's
News Headlines

Registered users can submit news items for the href=""> News Page using our
news submission
. All submissions go through an editorial review before being
posted to the site. You can also subscribe to the href=""> News RSS

Current and upcoming Java

Registered users can submit event listings for the href=""> Events Page using our href=""> events submission form.
All submissions go through an editorial review before being posted to the

Archives and Subscriptions: This blog is delivered weekdays as
the Java
Today RSS feed
. Also, once this page is no longer featured as the
front page of it will be
archived along with other past issues in the href=""> Archive.

Take a crack at Mustang's bytecode verifier