[foreign-abi] minimizing the surface of restricted native access
Maurizio Cimadamore
maurizio.cimadamore at oracle.com
Mon Dec 2 15:12:38 UTC 2019
On 02/12/2019 14:59, Ty Young wrote:
> You wouldn't think anything was special about the returned
> MemoryAddress until later when you surprisingly find out that it's a
> Nothing segment.
Same thing about passing MemoryAddresses - if the address you pass is
heap-based (MemorySegment.ofArray) the call just works statically (at
compile-time) only to fail at runtime because... well it's not a native
address. Or, you could get an address that is backed by a segment of
size 10, when you expected size 12 (which is really like accessing a
Nothing segment).
I think maybe you are asking too much of this API - the goal of the
ABI/memory acccess API is to provide the knobs on top of which more
friendly Java APIs can be constructed.
One of the tricky aspect of Project Panama is figuring out who the
"user" is. You seem to imagine a case where _every_ Java developer will
create native method handles, and access them directly. I think this
assumption does not reflect reality - these APIs are low-level, and I
suspect that an average user would at least need to go through a round
of extraction, using some tools (like jextract, but also other tools).
It will then up to the extraction tool to decide (and document
accordingly) exactly what happens with functions such as strcat - and it
will be also up to the users of such tools to get acquainted with how
the tool decides to map things. From our perspective, the really
important thing to ask is whether the API is complete enough to cover
what people want to do.
The solution I outlined last week worked pretty well when passing around
opaque pointers, but broke down when it came to dereferencing pointers
coming from native, as an excessive amount of safety info was thrown out
when doing so (see Ioannis email). I think the solution I posted few
minutes ago should address that, so that custom extractors are free to
infer extra safety information and embed them in the pointers returned
by their generated bindings (so that the "real" end user doesn't have to
worry too much about that).
Maurizio
More information about the panama-dev
mailing list