java.lang.String is NOT immutable

I found some code on a Java mailing list that challenges a lot of the assumptions about how strings work in Java.

There is a standard newbie question about immutable strings. It goes like this:
What gets printed out:

String lc = "lowercase";
lc.toUpperCase();
System.out.println(lc);

The standard answer is that you get "lowercase" because in Java, strings are immutable. The standard answer goes on to explain the benefits to security of having immutable strings, and how values can't be changed after they've been checked. I'm sure you've seen it all before.

So what about the following code:

String lc = "lowercase";
Mutant.toUpperCase(lc);
System.out.println(lc);

You'd think that because Mutant wasn't even part of the String class that it couldn't alter lc, but Mutant.toUpperCase(lc); uses a simple reflection trick to edit the string:

public static void toUpperCase(String orig)
{
    try
    {
        Field stringValue = String.class.getDeclaredField("value");
        stringValue.setAccessible(true);
        stringValue.set(orig, orig.toUpperCase().toCharArray());
    }
    catch (Exception ex)
    {
    }
}

The original article goes into a lot more depth, and a follow-up shows how to change the values of Integers too!.

The solution to the problem is to run your code with a Security manager turned on. That way you can be sure that people are not messing about with private variables.

Responses[23]

Posted by Joe Walker on 26 May 2005 12:59:33 BST #

Re: java.lang.String is NOT immutable

Comment from Jake the Mutant on 26 May 2005 15:10:45 BST #

Well, duh. If you use reflection to play with private fields, it's obviously not going to be immutable. Neither is any other "immutable" class you can come up with.

Re: java.lang.String is NOT immutable

Comment from Anonymous on 26 May 2005 15:20:01 BST #

Wow. Good job. You found something everyone else read 4 years ago. Duh is right.

Just adding my personal DUH

Comment from Anonymous on 26 May 2005 17:52:03 BST #

Its imutable for purposes of security. If you don't have the appropriate VM permissions you can't run that code. Try placing it in an applet.

Re: java.lang.String is NOT immutable

Comment from Anonymous on 26 May 2005 18:36:19 BST #

I think people are being too hard on you. keep on trucking

Re: java.lang.String is NOT immutable

Comment from Anonymous on 27 May 2005 13:49:39 BST #

I didn't know this little tidbit - so thanks. And ignore the other pricks.

Re: java.lang.String is NOT immutable

Comment from Anonymous on 17 November 2005 12:44:28 GMT #

LOL! If I ever catch someone using code like this in a serious piece of software, they will end up on http://www.thedailywtf.com/ !

Re: java.lang.String is NOT immutable

Comment from Anonymous on 27 May 2005 17:47:43 BST #

'lc.toUpperCase()' returns a NEW string, it does no modification on lc. So it is wrong to say that it fails because the value is immutable--it fails because you didn't know how to use the method.

Re: java.lang.String is NOT immutable

Comment from Brady on 27 May 2005 17:53:48 BST #

That's interesting. Is there a simple case when you'd want to do this rather than just saying lc = lc.toUpperCase();

Re: java.lang.String is NOT immutable

Comment from John Zoetebier on 01 June 2005 08:45:07 BST #

There is something like Java meta knowledge. This is about sane use of the Java language. It is not what you know about the syntax which makes you a good programmer. It is about when and how you use the language.

Re: java.lang.String is NOT immutable

Comment from Marc Schoenfeld on 01 June 2005 09:08:27 BST #

You do not get far with your reflection hacking if you run a SecurityManager. Then you need a ReflectPermission to do such potentially insecure operations which are endangering data integrity.

Re: java.lang.String is NOT immutable

Comment from Marc Schoenfeld on 01 June 2005 09:09:22 BST #

You do not get far with your reflection hacking if you run a SecurityManager. Then you need a ReflectPermission to do such potentially insecure operations which are endangering data integrity.

Re: java.lang.String is NOT immutable

Comment from Anonymous on 01 June 2005 11:14:49 BST #

Seems to me the basic types (value types) are better left immutable as they have no unique identity in an application - they only have a value. They are used to build the identity of the active objects. For a different value, use a different object - this way objects can hold their basic properties by sharing references to value types instead of cloning them to ensure they don't change everywhere when one object decides it needs a different property value. When everything is accessed via references, it's the safest way to work. There isn't a language yet devised in which it isn't possible to write bad programs, abuse the facilities.

Re: java.lang.String is NOT immutable

Comment from rodmac on 01 June 2005 16:09:57 BST #

> Seems to me the basic types (value types) are better left immutable <snip>

Your point rests on an assumption that some would argue with: that String is effectively a 'primitive' like int or float, which are clearly intended to be 'value types'. But is it?

I don't feel strongly one way or the other, but just to play Devi's advocate...

If String were intended to be purely a 'value type' than the language designers (Gosling and Co.) should have made it a primitive. But it isn't. It's an object. Why make it an object and then make it immutable?

This made the usage of String an unnecessary exception to standard object semantics--an exception that everyone has to learn to deal with (usually the hard way). I call it 'unnecessary' because, as far as I can determine, there was no clear benefit to making it an object that would offset the drawbacks. IMNSHO, this was a language design mistake.

Others would take a different tack and argue that including primitives in Java was the real design mistake. There is a case to be made for avoiding primitives and making *everything* in the language an object. I don't have a firm opinion on that either way, but it is an interesting argument.

Re: java.lang.String is NOT immutable

Comment from Aaron R> on 01 June 2005 17:02:58 BST #

I'd come across something similiar with altering the classloader at runtime. I'd never thought about other uses. Thanks for the info. Ignore the others.

Re: java.lang.String is NOT immutable

Comment from Anonymous on 01 June 2005 17:46:08 BST #

What's with all the nitwits telling him about SecurityManager when he mentions it right in the post?!

Re: java.lang.String is NOT immutable

Comment from Anonymous on 20 June 2005 10:18:41 BST #

for wht perpose they keep the String immutable ?

Re: java.lang.String is NOT immutable

Comment from Anonymous on 20 June 2005 10:20:12 BST #

for wht perpose they keep the String immutable ?

Re: java.lang.String is NOT immutable

Comment from Anonymous on 20 June 2005 10:20:16 BST #

for wht perpose they keep the String immutable ?

Re: java.lang.String is NOT immutable

Comment from Anonymous on 20 June 2005 10:20:27 BST #

for wht perpose they keep the String immutable ?

Re: java.lang.String is NOT immutable

Comment from Anonymous on 12 August 2005 14:14:51 BST #

for purpose of save usage as HashMap key

Re: java.lang.String is NOT immutable

Comment from Srikanth on 20 October 2005 13:14:08 BST #

Good attempt, but it may be better if you change the subject and finally make a conclusion that by *tweaking* you can make it immutable. Since a newbie would be confused with all the stuff and conclude that the String is mutable.

Re: java.lang.String is NOT immutable

Comment from Anonymous on 12 November 2005 00:53:20 GMT #

lol

Re: java.lang.String is NOT immutable

Comment from Leete on 12 November 2005 00:56:53 GMT #

Although we are discussing Java, this may give you some insite: "A String is called immutable because its value cannot be modified once it has been created. Methods that appear to modify a String actually return a new String containing the modification. If it is necessary to modify the actual contents of a string-like object, use the System.Text.StringBuilder class." Summing this up, this is the same case as with Java. Source: msdn.microsoft.com/library/en-us/ cpref/html/frlrfsystemstringclasstopic.asp

2012 February (0) January (0)	2011 December (0) November (0) October (0) September (0) August (0) July (0) June (0) May (0) April (0) March (0) February (0) January (0)
2010 December (0) November (0) October (0) September (1) August (0) July (0) June (0) May (0) April (0) March (0) February (1) January (0)	2009 December (0) November (0) October (0) September (0) August (1) July (0) June (0) May (1) April (1) March (0) February (3) January (0)
2008 December (2) November (1) October (0) September (0) August (0) July (2) June (0) May (2) April (1) March (5) February (2) January (1)	2007 December (4) November (3) October (2) September (0) August (3) July (2) June (1) May (2) April (8) March (11) February (4) January (7)
2006 December (4) November (2) October (4) September (3) August (7) July (3) June (3) May (10) April (3) March (4) February (5) January (3)	2005 December (1) November (7) October (8) September (10) August (5) July (7) June (11) May (6) April (2)

Re: java.lang.String is NOT immutable Comment from Anonymous on 08 February 2012 22:28:23 GMT #
Title
Body	HTML : b, strong, i, em, blockquote, br, p, pre, a href="", ul, ol, li, sub, sup
Name
E-mail address
Website
Remember me	Yes No
E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

Username
Password
Remember me