From 4f1b6fce0312ddd49b520fd7b7834a1823114f45 Mon Sep 17 00:00:00 2001 From: Niko Matsakis Date: Tue, 9 Apr 2024 13:14:59 -0400 Subject: [PATCH 1/5] start talking about safety --- book/src/SUMMARY.md | 1 + book/src/intro.md | 2 +- book/src/safety.md | 20 ++++++++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 book/src/safety.md diff --git a/book/src/SUMMARY.md b/book/src/SUMMARY.md index 7f7d978d..f03fc2d3 100644 --- a/book/src/SUMMARY.md +++ b/book/src/SUMMARY.md @@ -5,6 +5,7 @@ - [Setup](./setup.md) - [Calling Java from Rust](./call_java_from_rust.md) - [Implementing native methods](./implementing_native_methods.md) +- [Memory safety requirements](./safety.md) - [Reference](./reference.md) - [The `java_package` macro](./java_package.md) - [The `java_function` macro](./java_function.md) diff --git a/book/src/intro.md b/book/src/intro.md index 9e67c418..b3d06053 100644 --- a/book/src/intro.md +++ b/book/src/intro.md @@ -2,7 +2,7 @@ [][Zulip] -Duchess is a Rust crate that makes it easy, ergonomic, and efficient to interoperate with Java code. +Duchess is a Rust crate that makes it [safe](./safety.md), ergonomic, and efficient to interoperate with Java code. diff --git a/book/src/safety.md b/book/src/safety.md new file mode 100644 index 00000000..7f52176d --- /dev/null +++ b/book/src/safety.md @@ -0,0 +1,20 @@ +# Memory safety requirements + +Duchess provides a **safe abstraction** atop the Java Native Interface (JNI). +This means that, as long as you are using Duchess to interact with the JVM, +you cannot cause memory unsafety. +However, there are edge cases that can "void" this guarantee and which Duchess cannot control. + +## Memory safety requirements + +Duchess will guarantee memory safety within your crate, but there are two conditions that it cannot by itself guarantee: + +* **You must build with the same Java class files that you will use when you deploy:** + * Part of how Duchess guarantees is safety is by reflecting on `.class` files at build time. + * If you build against one set of class files then deploy with another, +* **You must be careful when mixing Duchess with other Rust JNI libraries:** (e.g., the [jni crate](https://crates.io/crates/jni) or [robusta_jni](https://crates.io/crates/robusta_jni)) + * For the most part, interop between Duchess and other JNI crates should be no problem. But there are some particular things that can cause issues: + * The JVM cannot be safely started from multiple threads at once. + Duchess uses a lock to avoid contending with itself but we cannot protect from other libraries starting the JVM in parallel with us. + It is generally best to start the JVM yourself (via any means) in the `main` function or some other central place so that you are guaranteed it happens once and exactly once. + Duchess should work just fine if the JVM has been started by another crate. \ No newline at end of file From 7b67a0b8f844320c6c6fd97adb8cfd5ea534adbf Mon Sep 17 00:00:00 2001 From: Niko Matsakis Date: Fri, 12 Apr 2024 08:39:03 -0400 Subject: [PATCH 2/5] wip --- book/src/SUMMARY.md | 1 + book/src/safety.md | 6 +- book/src/threat_model.md | 180 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 185 insertions(+), 2 deletions(-) create mode 100644 book/src/threat_model.md diff --git a/book/src/SUMMARY.md b/book/src/SUMMARY.md index f03fc2d3..3e0bf390 100644 --- a/book/src/SUMMARY.md +++ b/book/src/SUMMARY.md @@ -6,6 +6,7 @@ - [Calling Java from Rust](./call_java_from_rust.md) - [Implementing native methods](./implementing_native_methods.md) - [Memory safety requirements](./safety.md) + - [Threat model](./threat_model.md) - [Reference](./reference.md) - [The `java_package` macro](./java_package.md) - [The `java_function` macro](./java_function.md) diff --git a/book/src/safety.md b/book/src/safety.md index 7f52176d..f0468bd3 100644 --- a/book/src/safety.md +++ b/book/src/safety.md @@ -1,10 +1,12 @@ # Memory safety requirements -Duchess provides a **safe abstraction** atop the Java Native Interface (JNI). +Duchess provides a **safe abstraction** atop the [Java Native Interface (JNI)][jni]. This means that, as long as you are using Duchess to interact with the JVM, you cannot cause memory unsafety. However, there are edge cases that can "void" this guarantee and which Duchess cannot control. +[jni]: https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/jniTOC.html + ## Memory safety requirements Duchess will guarantee memory safety within your crate, but there are two conditions that it cannot by itself guarantee: @@ -17,4 +19,4 @@ Duchess will guarantee memory safety within your crate, but there are two condit * The JVM cannot be safely started from multiple threads at once. Duchess uses a lock to avoid contending with itself but we cannot protect from other libraries starting the JVM in parallel with us. It is generally best to start the JVM yourself (via any means) in the `main` function or some other central place so that you are guaranteed it happens once and exactly once. - Duchess should work just fine if the JVM has been started by another crate. \ No newline at end of file + Duchess should work just fine if the JVM has been started by another crate. diff --git a/book/src/threat_model.md b/book/src/threat_model.md new file mode 100644 index 00000000..2e562d1f --- /dev/null +++ b/book/src/threat_model.md @@ -0,0 +1,180 @@ +# Threat model + +This page analyzes Duchess's use of the JNI APIs to explain how it guarantees memory safety in each case. + +## Code invariants + +This section introduces invariants maintained by Duchess using Rust's type system as well as careful API design. + +### All references to `impl JavaObject` types are JNI local or global references + +The [`JavaObject`] + +### 1:1 correspondence between JNI global references and `Global` + +## Specific threat vectors + +What follows is a list of specific threat vectors identified by based on the documentation [JNI documentation](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/jniTOC.html) as well as a [checklist of common JNI failures found on IBM documentation](https://www.ibm.com/docs/en/sdk-java-technology/8?topic=jni-checklist). + +### When you update a Java object in native code, ensure synchronization of access. + +**Outcome of nonadherence:** Memory corruption + +**How Duchess avoids this:** We do not support updating objects in native code. + + +### Ensure that every global reference created has a path that deletes that global reference. + +**Outcome of nonadherence:** Memory leak + +**How Duchess avoids this:** Every time we create a global reference, we store it in a `Global` type. The destructor on this type will free the reference. + + + +--- + +## Attaching and detaching from threads + +To use the JNI one must obtain a `JNIEnv*` pointer. +This pointer is specific to a particular OS thread and cannot be used from other threads. +You can obtain the "first" `JNIEnv*` pointer in two ways + +* By explicitly attaching a Rust thread to the JVM using [`AttachCurrentThread`]; +* As a parameter that is given to a Rust function when it is being used to implement a Java `native` function. + + +This can be done The JNI can only be used on particular threads +To be used within a particular thread, the JNI must be "attached" to that thread. +Attaching gives access to a `JNIEnv*` pointer that is specific to the current thread. + +[`AttachCurrentThread`]: https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/invocation.html#AttachCurrentThread + +## References to Java objects + +As [documented in the JNI manual](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/design.html#referencing_java_objects), +native can reference Java objects in one of two ways: + +* Local references, which are valid for the duration of a native method call. Once the method returns, these references will be automatically out of scope. +* Global references, which remain valid until that are explicitly freed. + +In both cases, these are not direct references to the heap, but rather a pointer to internal JVM storage which stores the real reference. +This permits the JVM to compact and relocate Java objects even when native code is executing. + +In Duchess, local references are always represented using a `Local<'jvm, T>` type, where `'jvm` represents the scope of the current JVM invocation. + +## Cached method and field IDs + +From the [JNI documentation](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/design.html#accessing_fields_and_methods): + +> A field or method ID does not prevent the VM from unloading the class from which the ID has been derived. After the class is unloaded, the method or field ID becomes invalid. The native code, therefore, must make sure to: +> +> * keep a live reference to the underlying class, or +> * recompute the method or field ID +> +> if it intends to use a method or field ID for an extended period of time. + + +## References to Java objects + +### Invoke execution occurred regularly + +[Recommendation:](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/design.html#asynchronous_exceptions) + +> Native methods should insert ExceptionOccurred()checks in necessary places (such as in a tight loop without other exception checks) to ensure that the current thread responds to asynchronous exceptions in a reasonable amount of time. + +**Outcome of nonadherence:** + +**How Duchess avoids this:** We do not. Asynchronous exceptions are not recommended in modern code. + +### Memory exhaustion from too many local references + +[JNI reference states:](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/design.html#global_and_local_references) + +> However, there are times when the programmer should explicitly free a local reference. Consider, for example, the following situations: +> +> * A native method accesses a large Java object, thereby creating a local reference to the Java object. The native method then performs additional computation before returning to the caller. The local reference to the large Java object will prevent the object from being garbage collected, even if the object is no longer used in the remainder of the computation. +> * A native method creates a large number of local references, although not all of them are used at the same time. Since the VM needs a certain amount of space to keep track of a local reference, creating too many local references may cause the system to run out of memory. For example, a native method loops through a large array of objects, retrieves the elements as local references, and operates on one element at each iteration. After each iteration, the programmer no longer needs the local reference to the array element. +> +> The JNI allows the programmer to manually delete local references at any point within a native method. + +### Native references crossing threads + +[JNI document states:](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/design.html#global_and_local_references) + +> Local references are only valid in the thread in which they are created. The native code must not pass local references from one thread to another. + +### Clear exceptions before invoking other JNI calls + +> After an exception has been raised, the native code must first clear the exception before making other JNI calls. + +**Outcome of nonadherence:** + +**How Duchess avoids this:** Uh, do we? Certainly we internally propagate exceptions. What happens if you don't? + +### Illegal argument types + +[JNI document states](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/design.html#reporting_programming_errors): + +> Reporting Programming Errors +> +> The JNI does not check for programming errors such as passing in NULL pointers or illegal argument types. +> +> The programmer must not pass illegal pointers or arguments of the wrong type to JNI functions. Doing so could result in arbitrary consequences, including a corrupted system state or VM crash. + +**How Duchess avoids this:** Uh, do we? Certainly we internally propagate exceptions. What happens if you don't? + +### Local references cannot be saved in global variables. + +**Outcome of nonadherence:** Random crashes + +**How Duchess avoids this:** + +### Always check for exceptions (or return codes) on return from a JNI function. Always handle a deferred exception immediately you detect it. + +**Outcome of nonadherence:** Unexplained exceptions or undefined behavior, crashes + +**How Duchess avoids this:** End-users do not directly invoke JNI functions. Within Duchess, virtually all calls to JNI functions use the `EnvPtr::invoke` helper function which checks for exceptions. A small number use `invoke_unchecked` and require further audit. + +### Ensure that array and string elements are always freed. + +**Outcome of nonadherence:** Memory leak + +**How Duchess avoids this:** + +### Ensure that you use the isCopy and mode flags correctly. See Copying and pinning. + +Outcome of nonadherence: Memory leaks and/or heap fragmentation + +### Local variable capacity + +EnsureLocalCapacity + +jint EnsureLocalCapacity(JNIEnv *env, jint capacity); + +Ensures that at least a given number of local references can be created in the current thread. Returns 0 on success; otherwise returns a negative number and throws an OutOfMemoryError. + +Before it enters a native method, the VM automatically ensures that at least 16 local references can be created. + +For backward compatibility, the VM allocates local references beyond the ensured capacity. (As a debugging support, the VM may give the user warnings that too many local references are being created. In the JDK, the programmer can supply the -verbose:jni command line option to turn on these messages.) The VM calls FatalError if no more local references can be created beyond the ensured capacity. +LINKAGE: +Index 26 in the JNIEnv interface function table. +SINCE: + +JDK/JRE 1.2 + +### Push Local Frame + +-- what about interaction between jni libraries? + +PushLocalFrame + +jint PushLocalFrame(JNIEnv *env, jint capacity); + +Creates a new local reference frame, in which at least a given number of local references can be created. Returns 0 on success, a negative number and a pending OutOfMemoryError on failure. + +Note that local references already created in previous local frames are still valid in the current local frame. +LINKAGE: +Index 19 in the JNIEnv interface function table. +SINCE: + +JDK/JRE 1.2 \ No newline at end of file From 4218fdf8cdc13245a29560e539aecba1c46e7acc Mon Sep 17 00:00:00 2001 From: Niko Matsakis Date: Fri, 12 Apr 2024 08:56:17 -0400 Subject: [PATCH 3/5] extend mdbook to include rustdoc --- .github/workflows/mdbook.yml | 6 ++++++ book/src/intro.md | 1 + 2 files changed, 7 insertions(+) diff --git a/.github/workflows/mdbook.yml b/.github/workflows/mdbook.yml index 4ffc6c1a..9a555e41 100644 --- a/.github/workflows/mdbook.yml +++ b/.github/workflows/mdbook.yml @@ -32,6 +32,10 @@ jobs: MDBOOK_VERSION: 0.4.21 steps: - uses: actions/checkout@v3 + - uses: actions/setup-java@v3 + with: + distribution: 'corretto' + java-version: '17' - name: Install mdBook run: | curl -sSL https://github.com/rust-lang/mdBook/releases/download/v0.4.28/mdbook-v0.4.28-x86_64-unknown-linux-gnu.tar.gz | tar -xz @@ -43,6 +47,8 @@ jobs: uses: actions/configure-pages@v3 - name: Build with mdBook run: ./mdbook build book + - name: Rust rustdoc + run: cargo doc --target-dir book/book/rustdoc - name: Upload artifact uses: actions/upload-pages-artifact@v1 with: diff --git a/book/src/intro.md b/book/src/intro.md index b3d06053..a18309d2 100644 --- a/book/src/intro.md +++ b/book/src/intro.md @@ -39,6 +39,7 @@ logger Check out the... +* [Rustdoc](./rustdoc/doc/duchess/index.html) * The [examples](https://github.com/duchess-rs/duchess/tree/main/test-crates/duchess-java-tests/tests/ui/examples) * The [tutorials](https://duchess-rs.github.io/duchess/tutorials.html) chapter From 8ab9e99696219f91389fcaeb300ce936d5338ba9 Mon Sep 17 00:00:00 2001 From: Niko Matsakis Date: Fri, 12 Apr 2024 08:59:10 -0400 Subject: [PATCH 4/5] link to our generated docs --- Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/Cargo.toml b/Cargo.toml index 86e17e76..47197a83 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -5,6 +5,7 @@ version = "0.1.8" license = "Apache-2.0 OR MIT" repository = "https://github.com/duchess-rs/duchess" homepage = "https://duchess-rs.github.io/duchess/" +documentation = "https://duchess-rs.github.io/duchess/rustdoc/doc/duchess/index.html" [package] name = "duchess" From e50a1bafaed0e1327a81b4fdc77acd78b6909ed2 Mon Sep 17 00:00:00 2001 From: Niko Matsakis Date: Fri, 12 Apr 2024 09:01:06 -0400 Subject: [PATCH 5/5] wip --- book/src/threat_model.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/book/src/threat_model.md b/book/src/threat_model.md index 2e562d1f..7316b6b7 100644 --- a/book/src/threat_model.md +++ b/book/src/threat_model.md @@ -1,5 +1,7 @@ # Threat model +![Status: Experimental](https://img.shields.io/badge/Status-WIP-yellow) + This page analyzes Duchess's use of the JNI APIs to explain how it guarantees memory safety in each case. ## Code invariants