scopes writeup

John Rose john.r.rose at oracle.com
Tue Jan 29 20:03:13 UTC 2019 

On Jan 23, 2019, at 3:27 AM, Maurizio Cimadamore <maurizio.cimadamore at oracle.com> wrote:
> 
> Extreme example: the library could return a pointer that is already dandling (e.g. the library allocate memory with malloc, saves the pointer somewhere, frees the memory, and then returns the pointer). There's no possible scope abstraction that can save you from that.
> 
> So, when it comes to native calls, I lean towards flexibility - you should be able to pass any pointer to the native library, and you should make minimal assumption about the lifecycle of the pointers that come out of that library (the most basic assumption is that these pointers will be alive for the duration of the library).

Here's a simple example:  strchr(char*)char* returns an internal pointer
into its argument.  This is documented on the man page, but there's
nothing in the types or the header file that tells jextract this fact.
The scope of the returned pointer can be copied from the scope
of the input pointer.  How can that be done?  Some sort of manual
intervention is required.  This manual intervention is what I like
to call "civilization":  Somebody has to take the raw API from the
header file only, and tweak it to better conform to the documented
behavior of the API.  In the end, the civilization process is intended
to produce a Java API which is safe and secure:  Easy to use safely,
and impossible to subvert into a security exploit.

Because C is an unsafe language and Java is safe, there is always
going to be this mismatch between what comes out of jextract
and what is safe for use by arbitrary users.  This means either
the extracted C API will be restricted to platform programmers,
or the extracted C API is wrapped in a civilizing layer.

Assigning accurate (safe and secure) scopes to pointers is one
of the hard tasks of civilization.  Probably there are some C
APIs that just can't be made safe and secure for Java, but we
are betting that many useful APIs will be easily civilized.

Currently we are focusing on accurately extracting all possible
raw APIs, and providing efficient access to them.  This is
challenging enough for now.  So you won't see much help
for civilizing yet.  I expect that folks will start to experiment
with civilizing layers when the raw extraction mechanisms
stabilize.

— John

More information about the panama-dev mailing list