Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8334569

Add a tool like jdeprscan to find usage of restricted methods

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 24
    • tools
    • None
    • behavioral
    • minimal
    • add/remove command in $JDK/bin
    • JDK

      Summary

      Provide a command-line tool that can be used to scan for occurrences of code that may access native functionalities, such as restricted method calls, or native method declarations.

      Problem

      Since the FFM API was finalized in Java 22, as part of the push for 'integrity by default' (https://bugs.openjdk.org/browse/JDK-8305968), code using the restricted methods in the FFM API can face warning messages of the form:

      WARNING: A restricted method in java.lang.foreign.MemorySegment has been called
WARNING: <restricted method> has been called by <caller class> in <module name>
WARNING: Use --enable-native-access=<module name> to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled

      In the reference implementation, clients can then use the flag --enable-native-access=<module name>, as the warning message suggests, to grant a particular module access to restricted methods, thus silencing the warning.

      However, it may be hard to determine ahead of time whether code in a jar file calls restricted or native methods. For instance, if the jar file is supplied by a third-party, the fact that it requires native access may not be documented. A user may attempt to find modules that require native access through testing. However, this may not reveal all modules that require native access, for instance because the tests never execute a code path that uses a native functionality, or because there are untested configurations where some modules require native functionalities.

      More warnings may be emitted in the future by the restriction of JNI: https://bugs.openjdk.org/browse/JDK-8307341 However, even if JNI is never restricted, a client may still want to know if a library they are using accesses native code.

      Solution

      Add a static analysis tool, called jnativescan, which can be used to find restricted method calls and native method declarations, to indicate to users if code in jar files accesses native functionalities, and if so, which modules, classes and methods do so.

      Specification

      Copy of generated man page is attached.

        1. jnativescan.1
          7 kB

            jvernee Jorn Vernee
            mcimadamore Maurizio Cimadamore
            Alan Bateman, Maurizio Cimadamore
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: