Usage of global scope by Linker is unsafe for pointers to `static` data in loaded library

some-java-user-99206970363698485155 at vodafonemail.de some-java-user-99206970363698485155 at vodafonemail.de
Sat Sep 21 15:54:55 UTC 2024 

Hello,

as mentioned in the Javadoc, for downcalls and upcalls Linker uses the 
global scope for the result respectively the arguments. This is 
problematic for pointers to `static` data in C because it leads to 
unsafe code.
Specifically, consider this case:

 1. Load a library using SymbolLookup
 2. Obtain the address of a function in that library
 3. Call that function using Linker; the function returns a pointer to
    `static` data
 4. Use the function result

If I understand it correctly that pointer to the `static` data actually 
points within the data of the loaded library (and not some newly 
allocated heap memory). But I am not that familiar with C, so please 
correct me if I am wrong.

The problem is now if you accidentally unload the library by closing the 
Arena which was used for loading it, either explicitly or by the garbage 
collector in case of Arena.ofAuto(), while the function result is still 
is use.
Because the Linker used the global scope, if you use the `static` data 
returned by the function it will crash the JVM because it is not 
detected that the original Arena had been closed, and the library had 
been unloaded.


What makes this worse is that if you are just given a SymbolLookup, or 
even a MemorySegment obtained from it, you don't have access to the 
original Arena used to load the library, so you cannot even manually fix 
this unsafety this by using `MemorySegment#reinterpet` to change the Arena.


Maybe it would therefore be safer if Linker for downcalls used the scope 
of the given function pointer MemorySegment, instead of the global 
scope. What do you think?
For upcall arguments I am not sure if there is a way to fix this unsafety.


If the behavior for downcalls cannot be changed, could you then please 
at least add a 'restricted' `MemorySegment#withScope(Scope)` (maybe with 
additional 'cleanup' argument) or similar, so that you can manually 
change the scope of the downcall result, without needing a reference to 
the original Arena (which is currently required for 
`MemorySegment#reinterpet`)?
Though personally I would prefer if the default downcall behavior was 
changed, because manually having to change the scope of the downcall 
result every time is error-prone and easy to forget.


Kind regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/panama-dev/attachments/20240921/958cd33f/attachment.htm>

More information about the panama-dev mailing list