From davidalayachew at gmail.com  Sun Sep  7 06:44:12 2025
From: davidalayachew at gmail.com (David Alayachew)
Date: Sun, 7 Sep 2025 02:44:12 -0400
Subject: Asking for JEP 1 to be revised to include details of JEP 2.0 Process
 Proposal
Message-ID: <CAA9v-_Ot_Yd_PYQPix7ri814O=E1b5_RAQCg5puSFBUT6R8yVw@mail.gmail.com>

Hello,

At the very top of JEP 1, there is the following snippet.

> *NOTE: Much of this document is*
> *superseded by the JEP 2.0 Process*
> *Proposal, in which JEPs are created and*
> *maintained as a custom "JEP" issue type in*
> *the JDK Bug System. Please see the*
> *proposal for details. That proposal will*
> *eventually be folded into this document.*

After reading through 2.0 (not to be confused with JEP 2), it seems like
2.0's reason for existing is to communicate what details from JEP 1 have
changed, now that we are using JBS instead of Mercurial to house the JEP's.
It also appears that the "folding" has not yet completed.

I am trying to *fully* understand the *current* "spec" of a JEP and the JEP
Process, so wanted to make sure that I am looking at the right version.

2.0 only contains the details of JEP 1 that have changed. And while I am
fine mentally "rebasing" the changes of 2.0 against JEP 1, I'd also prefer
to look at a single source of truth.

Could we complete the "folding" of JEP 2.0 Process Proposal into JEP 1? It
seems like the process outlined in 2.0 is active and in use, but just not
explicitly documented in JEP 1, other than the notice.

Thank you for your time and help.
David Alayachew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/discuss/attachments/20250907/998e381c/attachment.htm>

From davidalayachew at gmail.com  Sun Sep  7 06:47:44 2025
From: davidalayachew at gmail.com (David Alayachew)
Date: Sun, 7 Sep 2025 02:47:44 -0400
Subject: Asking for JEP 1 (and 2) to be revised to include details of JEP
 2.0 Process Proposal
In-Reply-To: <CAA9v-_Ot_Yd_PYQPix7ri814O=E1b5_RAQCg5puSFBUT6R8yVw@mail.gmail.com>
References: <CAA9v-_Ot_Yd_PYQPix7ri814O=E1b5_RAQCg5puSFBUT6R8yVw@mail.gmail.com>
Message-ID: <CAA9v-_M33_jRWdahRPRj8rFHZ+oot3epCUw+Da0b00zkJZHdBA@mail.gmail.com>

Also, this would (necessarily) require folding the changes from JEP 2.0
Process Proposal into JEP 2, as listed in the bottom of the JEP 2.0 Process
Proposal.

*(Again, JEP 2.0 Process Proposal is not to be confused with JEP 1 or 2.)*

On Sun, Sep 7, 2025, 2:44?AM David Alayachew <davidalayachew at gmail.com>
wrote:

> Hello,
>
> At the very top of JEP 1, there is the following snippet.
>
> > *NOTE: Much of this document is*
> > *superseded by the JEP 2.0 Process*
> > *Proposal, in which JEPs are created and*
> > *maintained as a custom "JEP" issue type in*
> > *the JDK Bug System. Please see the*
> > *proposal for details. That proposal will*
> > *eventually be folded into this document.*
>
> After reading through 2.0 (not to be confused with JEP 2), it seems like
> 2.0's reason for existing is to communicate what details from JEP 1 have
> changed, now that we are using JBS instead of Mercurial to house the JEP's.
> It also appears that the "folding" has not yet completed.
>
> I am trying to *fully* understand the *current* "spec" of a JEP and the
> JEP Process, so wanted to make sure that I am looking at the right version.
>
> 2.0 only contains the details of JEP 1 that have changed. And while I am
> fine mentally "rebasing" the changes of 2.0 against JEP 1, I'd also prefer
> to look at a single source of truth.
>
> Could we complete the "folding" of JEP 2.0 Process Proposal into JEP 1? It
> seems like the process outlined in 2.0 is active and in use, but just not
> explicitly documented in JEP 1, other than the notice.
>
> Thank you for your time and help.
> David Alayachew
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/discuss/attachments/20250907/828c5a17/attachment.htm>

From davidalayachew at gmail.com  Mon Sep  8 13:14:19 2025
From: davidalayachew at gmail.com (David Alayachew)
Date: Mon, 8 Sep 2025 09:14:19 -0400
Subject: Where do I direct questions about the Playground feature on the
 dev.java website?
Message-ID: <CAA9v-_PewcJ-1bRzDVPHn+e9MQ0u990j65D1RYj-zQn4CAPoSg@mail.gmail.com>

Hello,

I have some feedback to give, regarding the Playground feature on the
https://dev.java website, found here --> https://dev.java/playground/.

Which mailing list is appropriate to direct this feedback to?

Thank you for your time and help.
David Alayachew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/discuss/attachments/20250908/d028c1d8/attachment-0001.htm>

From ethan at mccue.dev  Mon Sep  8 13:18:56 2025
From: ethan at mccue.dev (Ethan McCue)
Date: Mon, 8 Sep 2025 09:18:56 -0400
Subject: Where do I direct questions about the Playground feature on the
 dev.java website?
In-Reply-To: <CAA9v-_PewcJ-1bRzDVPHn+e9MQ0u990j65D1RYj-zQn4CAPoSg@mail.gmail.com>
References: <CAA9v-_PewcJ-1bRzDVPHn+e9MQ0u990j65D1RYj-zQn4CAPoSg@mail.gmail.com>
Message-ID: <CA+NR86j4dm9LHgtRiPhzrhawqp2TMUPvB6KPHYMyBztK4tLxoA@mail.gmail.com>

Is it the issue where the first time you highlight code it gets deleted? If
it's that I've heard through the grapevine a fix is coming

On Mon, Sep 8, 2025, 9:17?AM David Alayachew <davidalayachew at gmail.com>
wrote:

> Hello,
>
> I have some feedback to give, regarding the Playground feature on the
> https://dev.java website, found here --> https://dev.java/playground/.
>
> Which mailing list is appropriate to direct this feedback to?
>
> Thank you for your time and help.
> David Alayachew
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/discuss/attachments/20250908/d4abf293/attachment.htm>

From daniel at wwwmaster.at  Mon Sep  8 16:14:10 2025
From: daniel at wwwmaster.at (Daniel Schmid)
Date: Mon, 8 Sep 2025 18:14:10 +0200
Subject: Where do I direct questions about the Playground feature on the
 dev.java website?
In-Reply-To: <CAA9v-_PewcJ-1bRzDVPHn+e9MQ0u990j65D1RYj-zQn4CAPoSg@mail.gmail.com>
References: <CAA9v-_PewcJ-1bRzDVPHn+e9MQ0u990j65D1RYj-zQn4CAPoSg@mail.gmail.com>
Message-ID: <ad9bdd3f-d31f-419e-806b-425b043a87d5@wwwmaster.at>

Hi,

As far as I know, the dev.java site and the playground is not maintained 
by OpenJDK but Oracle's devrel group.

While there is no mailing list (I know about), the issue tracker at 
https://github.com/java/devrel/issues should be fine for that purpose.

On 08/09/2025 15:14, David Alayachew wrote:
> Hello,
>
> I have some feedback to give, regarding the Playground feature on the 
> https://dev.java website, found here --> https://dev.java/playground/.
>
> Which mailing list is appropriate to direct this feedback to?
>
> Thank you for your time and help.
> David Alayachew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/discuss/attachments/20250908/b1a4c9c7/attachment.htm>

From davidalayachew at gmail.com  Tue Sep  9 02:34:08 2025
From: davidalayachew at gmail.com (David Alayachew)
Date: Mon, 8 Sep 2025 22:34:08 -0400
Subject: Where do I direct questions about the Playground feature on the
 dev.java website?
In-Reply-To: <CA+NR86j4dm9LHgtRiPhzrhawqp2TMUPvB6KPHYMyBztK4tLxoA@mail.gmail.com>
References: <CAA9v-_PewcJ-1bRzDVPHn+e9MQ0u990j65D1RYj-zQn4CAPoSg@mail.gmail.com>
 <CA+NR86j4dm9LHgtRiPhzrhawqp2TMUPvB6KPHYMyBztK4tLxoA@mail.gmail.com>
Message-ID: <CAA9v-_M6Kq2G3PEy+P4w27zf9=9dMk_DcE=y0DkbWKTdLYqTQg@mail.gmail.com>

No, but good to know, ty.

On Mon, Sep 8, 2025 at 9:19?AM Ethan McCue <ethan at mccue.dev> wrote:

> Is it the issue where the first time you highlight code it gets deleted?
> If it's that I've heard through the grapevine a fix is coming
>
> On Mon, Sep 8, 2025, 9:17?AM David Alayachew <davidalayachew at gmail.com>
> wrote:
>
>> Hello,
>>
>> I have some feedback to give, regarding the Playground feature on the
>> https://dev.java website, found here --> https://dev.java/playground/.
>>
>> Which mailing list is appropriate to direct this feedback to?
>>
>> Thank you for your time and help.
>> David Alayachew
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/discuss/attachments/20250908/33d7ab67/attachment-0001.htm>

From davidalayachew at gmail.com  Tue Sep  9 02:34:20 2025
From: davidalayachew at gmail.com (David Alayachew)
Date: Mon, 8 Sep 2025 22:34:20 -0400
Subject: Where do I direct questions about the Playground feature on the
 dev.java website?
In-Reply-To: <ad9bdd3f-d31f-419e-806b-425b043a87d5@wwwmaster.at>
References: <CAA9v-_PewcJ-1bRzDVPHn+e9MQ0u990j65D1RYj-zQn4CAPoSg@mail.gmail.com>
 <ad9bdd3f-d31f-419e-806b-425b043a87d5@wwwmaster.at>
Message-ID: <CAA9v-_PkJ_iccrs8bp6FPsDvEUahLjV+rHjFz_HyhuDnk-PkhA@mail.gmail.com>

Thanks, will do.

On Mon, Sep 8, 2025 at 12:14?PM Daniel Schmid <daniel at wwwmaster.at> wrote:

> Hi,
>
> As far as I know, the dev.java site and the playground is not maintained
> by OpenJDK but Oracle's devrel group.
>
> While there is no mailing list (I know about), the issue tracker at
> https://github.com/java/devrel/issues should be fine for that purpose.
> On 08/09/2025 15:14, David Alayachew wrote:
>
> Hello,
>
> I have some feedback to give, regarding the Playground feature on the
> https://dev.java website, found here --> https://dev.java/playground/.
>
> Which mailing list is appropriate to direct this feedback to?
>
> Thank you for your time and help.
> David Alayachew
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/discuss/attachments/20250908/45a4425c/attachment.htm>

From some-java-user-99206970363698485155 at vodafonemail.de  Tue Sep 16 21:15:20 2025
From: some-java-user-99206970363698485155 at vodafonemail.de (some-java-user-99206970363698485155 at vodafonemail.de)
Date: Tue, 16 Sep 2025 23:15:20 +0200
Subject: On the unsafety of sun.misc.Unsafe
Message-ID: <942d1238-a4a6-45ee-9de8-831bd4f98545@vodafonemail.de>

Hello,

when Maurizio Cimadamore and Per-Ake Minborg wrote about sun.misc.Unsafe 
a few months ago [1], it might have been a bit abstract what it actually 
means for Unsafe to be "unsafe" and what the effects can be.

During the past months I was looking into this topic, and one result of 
this is CVE-2024-36114 for a third-party library using Unsafe: Missing 
bounds checks for Unsafe usage allowed crashing the JVM and possibly 
leaking unrelated data of the JVM process
I don't want to discredit the authors of that library with this, instead 
I want to point out how easily such issues can occur and what 
consequences they can have.
Neither do I want to imply that Unsafe usage is generally bad, however 
it can certainly be risky, especially if used in a situation where 
untrusted data is processed.

So from a stability and security perspective I think it was a good 
decision by the JDK maintainers to deprecate the Unsafe memory access 
methods (JEP 471) and to issue warnings on their usage (JEP 498).

For Unsafe even small issues such as missing bounds checks or numeric 
overflow can have pretty big consequences, whereas in regular Java code 
you would most likely merely get a runtime exception. IDEs and code 
scanning tools are probably not that helpful here either because to them 
the calls to Unsafe just look like regular method calls; the tools are 
unaware of the effects incorrect arguments can have.
My impression is that Unsafe did not get a lot attention from security 
researchers in the past years, and that little tooling exists to detect 
invalid memory access performed by Unsafe. Additionally, the JDK itself 
has no built-in functionality to validate Unsafe memory access either.


As part of my research I developed a tool for detecting invalid memory 
access performed by Unsafe: 
https://github.com/Marcono1234/unsafe-address-sanitizer
It uses Java instrumentation to inject additional validation into Unsafe.

Also, the JVM fuzzer Jazzer 
(https://github.com/CodeIntelligenceTesting/jazzer) has been extended in 
the latest version 0.25.0 to detect invalid array memory access 
performed by Unsafe.

So if you are developing a project which uses Unsafe or want to 
investigate the safety of a library using Unsafe, maybe give the 
sanitizer or Jazzer a try (and for issues you find in third-party 
libraries, report them privately to their maintainers please). Feedback 
for?unsafe-address-sanitizer is highly appreciated! I hope it is useful 
for further improving the safety of the Java ecosystem.

Using Jazzer is also rather straightforward, see the Jazzer README [2]. 
When running fuzzing for a third-party library you also need a 
`src/test/resources/junit-platform.properties` file containing 
`jazzer.instrument=com.example.**` (using the actual package name of the 
library).


Thanks to the JDK maintainers for their efforts on making the Java 
runtime safer and for making it more obvious when third-party libraries 
you are using rely on Unsafe.

Kind regards


(I hope it is ok that I wrote to this mailing list and that it is enough 
on-topic. I considered writing to panama-dev instead but since this mail 
here is not directly related to FFM API development or similar, I 
assumed it would not be suitable there.)
(Note that I am not affiliated with Jazzer or the company maintaining it.)


[1] https://inside.java/2025/06/12/ffm-vs-unsafe/
[2] 
https://github.com/CodeIntelligenceTesting/jazzer?tab=readme-ov-file#junit-5