/* * Copyright (c) 2019, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. * */ /** *

Provides low-level access to memory and functions outside the Java runtime. * *

Foreign memory access

* *

* The main abstraction introduced to support foreign memory access is {@link java.lang.foreign.MemorySegment}, which * models a contiguous region of memory, residing either inside or outside the Java heap. Memory segments are * typically allocated using an {@link java.lang.foreign.Arena}, which controls the lifetime of the regions of memory * backing the segments it allocates. The contents of a memory segment can be described using a * {@link java.lang.foreign.MemoryLayout memory layout}, which provides basic operations to query sizes, offsets and * alignment constraints. Memory layouts also provide an alternate, more abstract way, to * access memory segments using * {@linkplain java.lang.foreign.MemoryLayout#varHandle(java.lang.foreign.MemoryLayout.PathElement...) var handles}, * which can be computed using layout paths. * * For example, to allocate an off-heap region of memory big enough to hold 10 values of the primitive type {@code int}, * and fill it with values ranging from {@code 0} to {@code 9}, we can use the following code: * * {@snippet lang = java: * try (Arena arena = Arena.ofConfined()) { * MemorySegment segment = arena.allocate(10 * 4); * for (int i = 0 ; i < 10 ; i++) { * segment.setAtIndex(ValueLayout.JAVA_INT, i, i); * } * } * } * * This code creates a native memory segment, that is, a memory segment backed by * off-heap memory; the size of the segment is 40 bytes, enough to store 10 values of the primitive type {@code int}. * The native segment is allocated using a {@linkplain java.lang.foreign.Arena#ofConfined() confined arena}. * As such, access to the native segment is restricted to the current thread (the thread that created the arena). * Moreover, when the arena is closed, the native segment is invalidated, and its backing region of memory is * deallocated. Note the use of the try-with-resources construct: this idiom ensures that the off-heap region * of memory backing the native segment will be released at the end of the block, according to the semantics described * in Section {@jls 14.20.3} of The Java Language Specification. *

* Memory segments provide strong safety guarantees when it comes to memory access. First, when accessing a memory segment, * the access coordinates are validated (upon access), to make sure that access does not occur at any address which resides * outside the boundaries of the memory segment used by the access operation. We call this guarantee spatial safety; * in other words, access to memory segments is bounds-checked, in the same way as array access is, as described in * Section {@jls 15.10.4} of The Java Language Specification. *

* Additionally, to prevent a region of memory from being accessed after it has been deallocated * (i.e. use-after-free), a segment is also validated (upon access) to make sure that the arena from which it * has been obtained has not been closed. We call this guarantee temporal safety. *

* Together, spatial and temporal safety ensure that each memory access operation either succeeds - and accesses a valid * location within the region of memory backing the memory segment - or fails. * *

Foreign function access

* The key abstractions introduced to support foreign function access are {@link java.lang.foreign.SymbolLookup}, * {@link java.lang.foreign.FunctionDescriptor} and {@link java.lang.foreign.Linker}. The first is used to look up symbols * inside libraries; the second is used to model the signature of foreign functions, while the third provides * linking capabilities which allows modelling foreign functions as {@link java.lang.invoke.MethodHandle} instances, * so that clients can perform foreign function calls directly in Java, without the need for intermediate layers of C/C++ * code (as is the case with the Java Native Interface (JNI)). *

* For example, to compute the length of a string using the C standard library function {@code strlen} on a Linux/x64 platform, * we can use the following code: * * {@snippet lang = java: * Linker linker = Linker.nativeLinker(); * SymbolLookup stdlib = linker.defaultLookup(); * MethodHandle strlen = linker.downcallHandle( * stdlib.find("strlen").get(), * FunctionDescriptor.of(ValueLayout.JAVA_LONG, ValueLayout.ADDRESS) * ); * * try (Arena arena = Arena.ofConfined()) { * MemorySegment cString = arena.allocateUtf8String("Hello"); * long len = (long)strlen.invokeExact(cString); // 5 * } *} * * Here, we obtain a {@linkplain java.lang.foreign.Linker#nativeLinker() native linker} and we use it * to {@linkplain java.lang.foreign.SymbolLookup#find(java.lang.String) look up} the {@code strlen} function in the * standard C library; a downcall method handle targeting said function is subsequently * {@linkplain java.lang.foreign.Linker#downcallHandle(FunctionDescriptor, Linker.Option...) obtained}. * To complete the linking successfully, we must provide a {@link java.lang.foreign.FunctionDescriptor} instance, * describing the signature of the {@code strlen} function. * From this information, the linker will uniquely determine the sequence of steps which will turn * the method handle invocation (here performed using {@link java.lang.invoke.MethodHandle#invokeExact(java.lang.Object...)}) * into a foreign function call, according to the rules specified by the ABI of the underlying platform. * The {@link java.lang.foreign.Arena} class also provides many useful methods for * interacting with foreign code, such as * {@linkplain java.lang.foreign.SegmentAllocator#allocateUtf8String(java.lang.String) converting} Java strings into * zero-terminated, UTF-8 strings, as demonstrated in the above example. * *

Restricted methods

* Some methods in this package are considered restricted. Restricted methods are typically used to bind native * foreign data and/or functions to first-class Java API elements which can then be used directly by clients. For instance * the restricted method {@link java.lang.foreign.MemorySegment#reinterpret(long)} ()} * can be used to create a fresh segment with the same address and temporal bounds, * but with the provided size. This can be useful to resize memory segments obtained when interacting with native functions. *

* Binding foreign data and/or functions is generally unsafe and, if done incorrectly, can result in VM crashes, * or memory corruption when the bound Java API element is accessed. For instance, incorrectly resizing a native * memory sgement using {@link java.lang.foreign.MemorySegment#reinterpret(long)} can lead to a JVM crash, or, worse, * lead to silent memory corruption when attempting to access the resized segment. For these reasons, it is crucial for * code that calls a restricted method to never pass arguments that might cause incorrect binding of foreign data and/or * functions to a Java API. *

* Given the potential danger of restricted methods, the Java runtime issues a warning on the standard error stream * every time a restricted method is invoked. Such warnings can be disabled by granting access to restricted methods * to selected modules. This can be done either via implementation-specific command line options, or programmatically, e.g. by calling * {@link java.lang.ModuleLayer.Controller#enableNativeAccess(java.lang.Module)}. *

* For every class in this package, unless specified otherwise, any method arguments of reference * type must not be null, and any null argument will elicit a {@code NullPointerException}. This fact is not individually * documented for methods of this API. * * @apiNote Usual memory model guarantees, for example stated in {@jls 6.6} and {@jls 10.4}, do not apply * when accessing native memory segments as these segments are backed by off-heap regions of memory. * * @implNote * In the reference implementation, access to restricted methods can be granted to specific modules using the command line option * {@code --enable-native-access=M1,M2, ... Mn}, where {@code M1}, {@code M2}, {@code ... Mn} are module names * (for the unnamed module, the special value {@code ALL-UNNAMED} can be used). If this option is specified, access to * restricted methods is only granted to the modules listed by that option. If this option is not specified, * access to restricted methods is enabled for all modules, but access to restricted methods will result in runtime warnings. * * @spec jni/index.html Java Native Interface Specification */ package java.lang.foreign;