-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8331671: Implement JEP 472: Prepare to Restrict the Use of JNI #19213
base: master
Are you sure you want to change the base?
Conversation
👋 Welcome back mcimadamore! A progress list of the required criteria for merging this PR into |
❗ This change is not yet ready to be integrated. |
@mcimadamore The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
jdk.accessibility \ | ||
jdk.charsets \ | ||
jdk.attach \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The list of allowed modules has been rewritten from scratch, by looking at the set of modules containing at least one native
method declaration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I understand this list to be the set of modules exempt from needing to specific that native access is allowed ?
ie they always have native access without any warnings, and further that any attempt to enable warnings, or to disable native access for these modules is ignored ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this was added via JDK-8327218. The changes in this PR are just trimming down the list to only the modules that have native code.
Klass* klass = vmClasses::ClassLoader_klass(); | ||
Handle name_arg = java_lang_String::create_from_str(jni_name, CHECK_NULL); | ||
Handle jni_class(THREAD, method->method_holder()->java_mirror()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the biggest change in this PR. That is, we need to pass enough arguments to ClassLoader::findNative
so that the method can start a restricted check accordingly.
if (!EnableNativeAccess.isNativeAccessEnabled(target)) { | ||
if (ModuleBootstrap.hasEnableNativeAccessFlag()) { | ||
ModuleBootstrap.IllegalNativeAccess illegalNativeAccess = ModuleBootstrap.illegalNativeAccess(); | ||
if (illegalNativeAccess != ModuleBootstrap.IllegalNativeAccess.ALLOW && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some changes in this code:
- this code is no-op if
--illegal-native-access
is set toallow
- we also attach the location of the problematic class to the warning message, using
CodeSource
- we use the "initial error stream" to emit the warning, similarly to what is done for other runtime warnings
ClassLoader.getSystemClassLoader().getUnnamedModule(); | ||
class Holder { | ||
static final JavaLangAccess JLA = SharedSecrets.getJavaLangAccess(); | ||
if (VM.isModuleSystemInited()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we call this code too early, we can see cases where module
is null
.
@@ -58,7 +58,7 @@ public class FileManager { | |||
loadOSXLibrary(); | |||
} | |||
|
|||
@SuppressWarnings("removal") | |||
@SuppressWarnings({"removal", "restricted"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are several of these changes. One option might have been to just disable restricted warnings when building. But on a deeper look, I realized that in all these places we already disabled deprecation warnings for the use of security manager, so I also added a new suppression instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable.
* questions. | ||
*/ | ||
|
||
module panama_jni_load_module { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This module setup is a bit convoluted, but I wanted to make sure that we got separate warnings for System.loadLibrary
and binding of the native
method, and that warning on the use of the native method was not generated (typically, all three operations occur in the same module).
Webrevs
|
Use initial error stream
Holder.JLA.ensureNativeAccess(module, owner, methodName, currentClass); | ||
if (module != null) { | ||
// not in init phase | ||
Holder.JLA.ensureNativeAccess(module, owner, methodName, currentClass); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In an earlier iteration I had a call to VM::isModuleSystemInited
, but I discovered that caused a performance regression, since that method involves a volatile access. Perhaps we should rethink that part of the init code to use stable fields, but it's probably better done separately.
Build changes look good. |
Improve warning for JNI methods, similar to what's described in JEP 472 Beef up tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hotspot changes look good - notwithstanding discussion about properlty namespace placement. Manpage changes also look good.
src/java.base/share/classes/jdk/internal/module/ModuleBootstrap.java
Outdated
Show resolved
Hide resolved
Hello Maurizio, in the current mainline, we have code in
where |
The options are additive - e.g. the enable-native-access in the manifest will add up to the enable-native-access in the command line, so effectively it will be as if you were running with --enable-native-access=M1,M2,ALL-UNNAMED |
src/java.base/share/classes/java/lang/foreign/package-info.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. Just a few minor comments where future maintainers might appreciate comments that describe parameters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you looked into / thought about how this will work for jpackaged apps ?
I suspect that both the existing FFM usage and this will be options the application packager will need to supply when building the jpackaged app - the end user cannot pass in command line VM options.
Seems there should be some testing of this as some kind of native access could be a common case for jpackaged apps.
jdk.accessibility \ | ||
jdk.charsets \ | ||
jdk.attach \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I understand this list to be the set of modules exempt from needing to specific that native access is allowed ?
ie they always have native access without any warnings, and further that any attempt to enable warnings, or to disable native access for these modules is ignored ?
@@ -58,7 +58,7 @@ public class FileManager { | |||
loadOSXLibrary(); | |||
} | |||
|
|||
@SuppressWarnings("removal") | |||
@SuppressWarnings({"removal", "restricted"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds reasonable.
I don't see any tests in test/jdk/tools/jpackage that creates an application that uses JNI code. Seems like a good idea to add this via another PR and it specify --java-options so that the application launcher enables native access. It could test jpackage using jlink too. |
These are all good suggestions. I have not looked into jpackage, but yes, I would expect that the jpackage user would need to provide extra options when packaging the application. The same is true for creating JDK image jlink (which we use in the jextract build) - although, in that case the end user also has the possibility to pass options on the command line. |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
client parts look fine.
It would be good to document how jpackage users packaging apps with native access will be affected by this change. Primarily that they need to pass |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Build changes look good. Thanks for trimming down NATIVE_ACCESS_MODULES.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this with JavaFX and everything is working as I would expect. Without any options, I get the expected warnings, one time per modules for the three javafx.*
modules that use JNI. If I pass the --enable-native-access
options at runtime, listing those three modules, there is no warning. Further, I confirm that if I pass that option to jlink or jpackage when creating a custom runtime, there is no warning.
Great! What about jpackage without a custom runtime, wondering if --java-options can be tested. |
Yes, pointing to an existing runtime works, too. In either mode (jpackage using an existing Java runtime vs running jlink to create a new one), the options specified by |
This PR implements JEP 472, by restricting the use of JNI in the following ways:
System::load
andSystem::loadLibrary
are now restricted methodsRuntime::load
andRuntime::loadLibrary
are now restricted methodsnative
method declaration to a native implementation is now considered a restricted operationThis PR slightly changes the way in which the JDK deals with restricted methods, even for FFM API calls. In Java 22, the single
--enable-native-access
was used both to specify a set of modules for which native access should be allowed and to specify whether illegal native access (that is, native access occurring from a module not specified by--enable-native-access
) should be treated as an error or a warning. More specifically, an error is only issued if the--enable-native-access flag
is used at least once.Here, a new flag is introduced, namely
illegal-native-access=allow/warn/deny
, which is used to specify what should happen when access to a restricted method and/or functionality is found outside the set of modules specified with--enable-native-access
. The default policy iswarn
, but users can selectallow
to suppress the warnings, ordeny
to causeIllegalCallerException
to be thrown. This aligns the treatment of restricted methods with other mechanisms, such as--illegal-access
and the more recent--sun-misc-unsafe-memory-access
.Some changes were required in the package-info javadoc for
java.lang.foreign
, to reflect the changes in the command line flags described above.Progress
Issues
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/19213/head:pull/19213
$ git checkout pull/19213
Update a local copy of the PR:
$ git checkout pull/19213
$ git pull https://git.openjdk.org/jdk.git pull/19213/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 19213
View PR using the GUI difftool:
$ git pr show -t 19213
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/19213.diff
Webrev
Link to Webrev Comment