Andriy Redko {devmind}

Wednesday, March 26, 2025

JDK-24: the death of SecurityManager

It has happened: after many years of deprecation warnings and back-and-forth conversations, the SecurityManager is effectively dead. JDK-24, released just last week, sets a final point in this long story. But there is no time to grieve, so many new features in JDK-24 to talk about!

The JDK-24 is really packed with JEPs, nonetheless some of them are being dragged from the previous JDK releases. Let us kick off from the finalized features first, with the preview / experimental / incubating to follow right after.

JEP-472: Prepare to Restrict the Use of JNI: issues warnings about uses of the Java Native Interface (JNI) and adjusts the Foreign Function & Memory (FFM) API to issue warnings in a consistent manner. All such warnings aim to prepare developers for a future release that ensures integrity by default by uniformly restricting JNI and the FFM API. Application developers can avoid both current warnings and future restrictions by selectively enabling these interfaces where essential.

Code that uses JNI is affected by native access restrictions if
- It calls System::loadLibrary, System::load, Runtime::loadLibrary, or Runtime::load, or
- It declares a native method.
The following warnings are going to be issued:
```
     WARNING: A restricted method in java.lang.System has been called
     WARNING: java.lang.System::loadLibrary has been called by com.example.LoadLibraryRunner in an unnamed module (...)
     WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
     WARNING: Restricted methods will be blocked in a future release unless native access is enabled
```
As per the hints above, to enable native access selectively, you could use the following command-line options:
- $ java --enable-native-access=ALL-UNNAMED ... (all code on the class path)
- $ java --enable-native-access=M1,M2, ... (specific modules on the module path)
Alternatively, you could add Enable-Native-Access: ALL-UNNAMED to the manifest of an executable JAR file (MANIFEST.MF). The only supported value for the Enable-Native-Access manifest entry is ALL-UNNAMED; other values cause an exception to be thrown. For more details, please check Quality Outreach Heads-up - JDK 24: Prepares Restricted Native Access write-up.
JEP-498: Warn upon Use of Memory-Access Methods in sun.misc.Unsafe: issues a warning at run time on the first occasion that any memory-access method in sun.misc.Unsafe is invoked. All of these unsupported methods were terminally deprecated in JDK 23. They have been superseded by standard APIs, namely the VarHandle API (JEP 193, JDK 9) and the Foreign Function & Memory API (JEP 454, JDK 22).

In case when usage of the sun.misc.Unsafe memory-access methods is detected, the following warnings are going to be issued:
```
     WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
     WARNING: sun.misc.Unsafe::allocateMemory has been called by com.example.UnsafeRunner (...)
     WARNING: Please consider reporting this to the maintainers of class com.example.UnsafeRunner
     WARNING: sun.misc.Unsafe::allocateMemory will be removed in a future release
```
JEP-491: Synchronize Virtual Threads without Pinning: improves the scalability of Java code that uses synchronized methods and statements by arranging for virtual threads that block in such constructs to release their underlying platform threads for use by other virtual threads. This will eliminate nearly all cases of virtual threads being pinned to platform threads, which severely restricts the number of virtual threads available to handle an application's workload.
JEP-475: Late Barrier Expansion for G1: simplifies the implementation of the G1 garbage collector's barriers, which record information about application memory accesses, by shifting their expansion from early in the C2 JIT's compilation pipeline to later.
JEP-479: Remove the Windows 32-bit x86 Port: removes the source code and build support for the Windows 32-bit x86 port. This port was deprecated for removal in JDK 21 with the express intent to remove it in a future release.
JEP-490: ZGC: Remove the Non-Generational Mode: removes the non-generational mode of the Z Garbage Collector (ZGC), keeping the generational mode as the default for ZGC.
JEP-501: Deprecate the 32-bit x86 Port for Removal: deprecates the 32-bit x86 port, with the intent to remove it in a future release. This will thereby deprecate the Linux 32-bit x86 port, which is the only 32-bit x86 port remaining in the JDK. It will also, effectively, deprecate any remaining downstream 32-bit x86 ports. After the 32-bit x86 port is removed, the architecture-agnostic Zero port will be the only way to run Java programs on 32-bit x86 processors.
JEP-493: Linking Run-Time Images without JMODs: reduces the size of the JDK by approximately 25% by enabling the jlink tool to create custom run-time images without using the JDK's JMOD files. This feature must be enabled when the JDK is built; it will not be enabled by default, and some JDK vendors may choose not to enable it.
JEP-496: Quantum-Resistant Module-Lattice-Based Key Encapsulation Mechanism: enhances the security of Java applications by providing an implementation of the quantum-resistant Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). Key encapsulation mechanisms (KEMs) are used to secure symmetric keys over insecure communication channels using public key cryptography. ML-KEM is designed to be secure against future quantum computing attacks. It has been standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 203.
JEP-497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm: enhances the security of Java applications by providing an implementation of the quantum-resistant Module-Lattice-Based Digital Signature Algorithm (ML-DSA). Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of signatories. ML-DSA is designed to be secure against future quantum computing attacks. It has been standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 204.
JEP-484: Class-File API: provides a standard API for parsing, generating, and transforming Java class files. This JEP finalizes the Class-File API that was originally proposed as a preview feature by JEP 457 in JDK 22 and refined by JEP 466 in JDK 23.
JEP-486: Permanently Disable the Security Manager: removes the abilities to enable the Security Manager when starting the Java runtime (java -Djava.security.manager ...) or to install a Security Manager while an application is running (System::setSecurityManager).
It is worth to mention that the impacted APIs changes are going way beyond just Security Manager, notably:
- AccessController::checkPermission always throws java.security.AccessControlException
- Policy::setPolicy always throws java.lang.UnsupportedOperationException
- Policy::getInstance methods always throw java.security.NoSuchAlgorithmException
- SecurityManager::check* methods always throw java.lang.SecurityException
- Subject::getSubject always throws java.lang.UnsupportedOperationException
- java.lang.SecurityException has been removed from most of the JDK's method signatures
JEP-483: Ahead-of-Time Class Loading & Linking: improves startup time by making the classes of an application instantly available, in a loaded and linked state, when the HotSpot Java Virtual Machine starts. Achieve this by monitoring the application during one run and storing the loaded and linked forms of all classes in a cache for use in subsequent runs. Lay a foundation for future improvements to both startup and warmup time.

This one is probably the first tangible deliverable of the Project Leyden, and an exciting one. The process to create a cache takes two steps.
First, run the application once, in a training run, to record its AOT configuration, in this case into the file app.aotconf:
```
    $ java -XX:AOTMode=record -XX:AOTConfiguration=app.aotconf -cp app.jar com.example.App ...
    
```
Second, use the configuration to create the cache, in the file app.aot (this step doesn’t run the application, it just creates the cache):
```
    $ java -XX:AOTMode=create -XX:AOTConfiguration=app.aotconf -XX:AOTCache=app.aot -cp app.jar
    
```
Subsequently, in testing or production, run the application with the cache (if the cache file is unusable or does not exist then the JVM issues a warning message and continues):
```
    $ java -XX:AOTCache=app.aot -cp app.jar com.example.App ...
    
```

The process is somewhat verbose at the moment, but no doubts, there are strong indications that the improvements are coming in the next release(s).

JEP-485: Stream Gatherers: enhances the Stream API to support custom intermediate operations. This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations.

From the API perspective, the changes include:
- new intermediate default <R> Stream<R> gather(Gatherer<? super T, ?, R> gatherer) operation on java.util.stream.Stream that processes the elements of a stream by applying a user-defined entity called a gatherer
- new interface Gatherer<T,A,R>
- new class Gatherers, factory of implementations of Gatherer<T,A,R> that provide useful intermediate operations, such as windowing functions, folding functions, transforming elements concurrently, etc.
Please check recently published The Gatherer API tutorial for more in-depth API design overview and different usage scenarios.

It was a lot but we are far from done yet, the list of preview / experimental / incubating features is as impressive:

JEP-478: Key Derivation Function API (Preview): introduces an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data. This is a preview API feature.
JEP-487: Scoped Values (Fourth Preview): introduces scoped values, which enable a method to share immutable data both with its callees within a thread, and with child threads. Scoped values are easier to reason about than thread-local variables. They also have lower space and time costs, especially when used together with virtual threads (JEP 444) and structured concurrency (JEP 480). This is a preview API feature.
JEP-489: Vector API (Ninth Incubator): introduces an API to express vector computations that reliably compile at runtime to optimal vector instructions on supported CPU architectures, thus achieving performance superior to equivalent scalar computations.
JEP-499: Structured Concurrency (Fourth Preview): simplifies concurrent programming by introducing an API for structured concurrency. Structured concurrency treats groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. This is a preview API feature.
JEP-494: Module Import Declarations (Second Preview): enhances the Java programming language with the ability to succinctly import all of the packages exported by a module. This simplifies the reuse of modular libraries, but does not require the importing code to be in a module itself. This is a preview language feature that we have covered previously.
JEP-488: Primitive Types in Patterns, instanceof, and switch (Second Preview): enhances pattern matching by allowing primitive types in all pattern contexts, and extend instanceof and switch to work with all primitive types. This is a preview language feature that we have covered previously.
JEP-404: Generational Shenandoah (Experimental): enhances the Shenandoah garbage collector with experimental generational collection capabilities to improve sustainable throughput, load-spike resilience, and memory utilization. This experimental feature could be activated through the JVM command line options:
```
$ java -XX:+UseShenandoahGC -XX:+UnlockExperimentalVMOptions -XX:ShenandoahGCMode=generational ... 
```
JEP-450: Compact Object Headers (Experimental): reduces the size of object headers in the HotSpot JVM from between 96 and 128 bits down to 64 bits on 64-bit architectures. This will reduce heap size, improve deployment density, and increase data locality. This experimental feature could be is activated through the JVM command line options:
```
$ java -XX:+UnlockExperimentalVMOptions -XX:+UseCompactObjectHeaders ... 
```
JEP-492: Flexible Constructor Bodies (Third Preview): in constructors in the Java programming language, allows statements to appear before an explicit constructor invocation, i.e., super(..) or this(..). The statements cannot reference the instance under construction, but they can initialize its fields. Initializing fields before invoking another constructor makes a class more reliable when methods are overridden. This is a preview language feature.
JEP-495: Simple Source Files and Instance Main Methods (Fourth Preview): evolves the Java programming language so that beginners can write their first programs without needing to understand language features designed for large programs. Far from using a separate dialect of the language, beginners can write streamlined declarations for single-class programs and then seamlessly expand their programs to use more advanced features as their skills grow. Experienced developers can likewise enjoy writing small programs succinctly, without the need for constructs intended for programming in the large. This is a preview language feature.

The amount of features we just looked at is astonishingly large for just one release, but let us take a look on some other fixes and improvements that went into JDK-24:

JDK-8338890: Add monitoring/management interface for the virtual thread scheduler: introduces a new JDK-specific monitoring and management interface named jdk.management.VirtualThreadSchedulerMXBean to monitor and manage the virtual thread scheduler with JMX based tooling.
JDK-8334026: Provide a diagnostic PrintMemoryMapAtExit switch on Linux: adds a new command line option -XX:+UnlockDiagnosticVMOptions -XX:+PrintMemoryMapAtExit to be able to get an annotated memory map at exit.
JDK-8340821: Umbrella: Improve FFM Bulk Operations: an umbrella issue for a set of FFM API bulk operation improvements.
JDK-8336856: Efficient Hidden Class-Based String Concatenation Strategy: seeks to unify bootstrapping JEP-280: Indify String Concatenation expressions strategies into a single one that uses per-shape class generation emitting code semantically similar to the optimized MH expression tree.
JDK-8333867: SHA3 Performance Can be Improved: improves SHA3 performance by eliminating unnecessary conversions.
JDK-8338542 Umbrella: Reduce Startup Overhead Associated with Migration to ClassFile API: an umbrella issue for reducing startup overhead associated with migration of java.lang.invoke package to ClassFile API.
JDK-8180450: secondary_super_cache does not scale well: improvements related to better scaling of the secondary_super_cache.
JDK-8320448: Accelerate IndexOf Using AVX2: rewrites the String::indexOf code without the use of the pcmpestri instruction, only using AVX2 instructions (this change accelerates String::indexOf on average 1.3x for AVX2).
JDK-8343791: Socket.connect Closes the Socket If the Connection Cannot Be Established: the new SocketImpl introduced under JEP-353 did not close the underlying socket when the connect method rejected an unresolved address.
JDK-8342075: HttpClient: improve HTTP/2 flow control checks: the HttpClient should report flow control issues to the server as FLOW_CONTROL_ERROR.
JDK-8324209: Check implementation of Expect: 100-continue in the java.net.http.HttpClient: the HttpClient would previously timeout if a server didn’t respond to a request which included a Expect: 100-Continue header.
JDK-8319993: Update Unicode Data Files to 16.0.0: support for Unicode 16.0
JDK-8333582: Update CLDR to Version 46.0: support for CLDR Version 46.

The JDK-24 tooling updates bring some new capabilities and deprecations:

JDK-8173970: jar tool should have a way to extract to a directory: The jar tool's extract operation has been enhanced to allow the --dir or the -C options to be used to specify the directory where the archive will be extracted.
JDK-8335912: Add an operation mode to the jar command when extracting to not overwriting existing files: the jar tool's extract operation has been enhanced to allow the --keep-old-files and the -k options to be used in preventing the overwriting of existing files.
JDK-8337199: Add jcmd Thread.vthread_scheduler and Thread.vthread_pollers diagnostic commands: brings two new jcmd commands:
- $ jcmd <pid> Thread.vthread_scheduler to print the virtual thread scheduler
- $ jcmd <pid> Thread.vthread_pollers to print the I/O pollers that support virtual threads doing blocking network I/O operations
JDK-8327793: jstatd Is Deprecated for Removal: to reduce dependencies on RMI, the jstatd tool should be removed.
JDK-8338894: Deprecate jhsdb debugd for removal: the debugd subcommand of the jhsdb tool is deprecated, for removal in a future release.

Sadly, there are few regressions to be aware of that sneaked into JDK-24 release:

JDK-8350820: OperatingSystemMXBean CpuLoad() Methods Return -1.0 on Windows: on Windows, the OperatingSystemMXBean CPU load methods, such as getSystemCpuLoad, getCpuLoad, and getProcessCpuLoad, always return -1.
JDK-8349637: IInteger.numberOfLeadingZeros outputs incorrectly in certain cases: the method Integer.numberOfLeadingZeros(int) may return an incorrect result on x86_64 with AVX2.

Last but not least, let us look over the changes to the standard library:

In scope of JDK-8341566: New Reader.of(CharSequence), one new method was introduced into java.io.Reader class:
- static Reader of(CharSequence cs)
The JDK-8336479: Provide Process.waitFor(Duration) adds a new method to java.lang.Process class:
- boolean waitFor(Duration duration) throws InterruptedException
The class java.io.Console got a few new methods:
- Console println()
- String readln()
The class java.io.IO got two new methods:
- static void println()
- static String readln()

To close up, a couple of security related enhancements that deserve closer look:

JDK-8341964: Add mechanism to disable different parts of TLS cipher suite: TLS cipher suites can be disabled with the jdk.tls.disabledAlgorithms security property in the java.security configuration file using one or more '*' wildcard characters.
JDK-8319332: Security properties files inclusion: the java.security security properties file, and those referred to by the java.security.properties system property, now support including other properties files. The directive include <path-to-a-file> can be used for this purpose. Please refer to Quality Outreach Heads-up - JDK 24: Security Properties Files Inclusion for more details.

I think it is fair to say that JDK-24 is an outstanding (and at the same time, disruptive to some) release that prepares the ground for the next LTS version, JDK-25, which is expected to land later this year.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

Thursday, December 26, 2024

Simple is finally easy: bootstrapping JAX-RS applications in Java SE environments

It has been a while since Jakarta EE 10 was released but the ecosystem is slowly (but steadily!) catching up. The Apache CXF project landed new 4.1.0 release very recently that delivers Jakarta EE 10 compatibility, specifically implementation of the Jakarta RESTful Web Services 3.1 specification (also known as JAX-RS).

One of the most exciting (in my option) features that Jakarta RESTful Web Services 3.1 includes is bootstrapping JAX-RS applications in Java SE environments. From now on, creating the full-fledged RESTful web services on the JVM becomes not only easy, but very straightforward! In today's post, we are going to build a sample RESTful web service and host it inside the Java SE application, with a catch - no boilerplate allowed.

The PeopleRestService, presented in the snippet below, is a minimalistic example of the typical Jakarta RESTful web service: for a sake of keeping things simple, it does not do anything useful besides returning the predefined data back.

import java.util.Collection;
import java.util.List;
 
import com.example.jakarta.restful.bootstrap.model.Person;
 
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MediaType;
 
@Path("/people")
public class PeopleRestService {
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    public Collection<Person> getPeople() {
        return List.of(new Person("a@b.com", "John", "Smith"));
    }
}

The Person class contains only three fields: email, firstName and lastName.

public class Person {
    private String email;
    private String firstName;
    private String lastName;
    // Skipping the getters and setters for brevity
}

Essentially, this is all we need at this point. Now the hardest part, how to expose the PeopleRestService to the outside world? Here is the moment for SeBootstrap to take the stage. Its entire purpose is allowing to startup a JAX-RS application in Java SE environments, without (explicitly) requiring the presence of the web container or application server. How does it look like in practice?

import java.util.Set;
import java.util.concurrent.CompletionStage;
 
import com.example.jakarta.restful.bootstrap.rs.PeopleRestService;
 
import jakarta.ws.rs.ApplicationPath;
import jakarta.ws.rs.SeBootstrap;
import jakarta.ws.rs.core.Application;
 
public class BootstrapRunner {
    @ApplicationPath("/api")
    public static final class JakartaRestfulApplication extends Application {
        @Override
        public Set<Object> getSingletons() {
            return Set.of(new PeopleRestService());
        }
    }
 
    public static void main(String[] args) {
        final SeBootstrap.Configuration configuration = SeBootstrap.Configuration
            .builder()
            .property(SeBootstrap.Configuration.PROTOCOL, "http")
            .property(SeBootstrap.Configuration.PORT, 10800)
            .property(SeBootstrap.Configuration.ROOT_PATH, "/")
            .build();
     
        SeBootstrap
            .start(new JakartaRestfulApplication(), configuration)
            .toCompletableFuture()
            .join();
    }
}

As simple as that: pass the port (10800), protocol (HTTP) and root path (/) through SeBootstrap.Configuration along with Application subclass (JakartaRestfulApplication) instance to SeBootstrap::start method. To complete the puzzle, here are all the dependencies that are required by our Java SE application (taken from project's Apache Maven pom.xml file).

<dependencies>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-frontend-jaxrs</artifactId>
        <version>4.1.0</version>
    </dependency>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-rs-extension-providers</artifactId>
        <version>4.1.0</version>
    </dependency>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-transports-http-jetty</artifactId>
        <version>4.1.0</version>
    </dependency>
    <dependency>
        <groupId>jakarta.json</groupId>
        <artifactId>jakarta.json-api</artifactId>
        <version>2.1.3</version>
    </dependency>
    <dependency>
        <groupId>jakarta.json.bind</groupId>
        <artifactId>jakarta.json.bind-api</artifactId>
        <version>3.0.1</version>
    </dependency>
    <dependency>
        <groupId>ch.qos.logback</groupId>
        <artifactId>logback-classic</artifactId>
        <version>1.5.15</version>
    </dependency>
    <dependency>
        <groupId>org.eclipse</groupId>
        <artifactId>yasson</artifactId>
        <version>3.0.4</version>
    </dependency>
</dependencies>

Nothing special, except may be Eclipse Yasson, the JSON-B implementation provider. It is time to make sure everything actually works!

$ mvn clean package

...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
...

$ java -jar target/cxf-jakarta-restful-3.1-bootstrap-0.0.1-SNAPSHOT.jar
Dec 24, 2024 2:43:45 P.M. org.apache.cxf.endpoint.ServerImpl initDestination
INFO: Setting the server's publish address to be http://:10800/api
14:43:46.129 [onPool-worker-1] INFO rg.eclipse.jetty.server.Server - jetty-12.0.15; built: 2024-11-05T19:44:57.623Z; git: 8281ae9740d4b4225e8166cc476bad237c70213a; jvm 23.0.1+8-FR
14:43:46.288 [onPool-worker-1] INFO jetty.server.AbstractConnector - Started ServerConnector@7b66a8d{HTTP/1.1, (http/1.1)}{:10800}
14:43:46.302 [onPool-worker-1] INFO rg.eclipse.jetty.server.Server - Started oejs.Server@7683694f{STARTING}[12.0.15,sto=0] @1701ms
14:43:46.349 [onPool-worker-1] INFO .server.handler.ContextHandler - Started oeje10s.ServletContextHandler@4b04a638{ROOT,/,b=null,a=AVAILABLE,h=oeje10s.ServletHandler@23ae88f1{STARTED}}

With the application up and running, we are ready to invoke the http://localhost:10800/api/people HTTP endpoint (the only one our Jakarta RESTful web service exposes).

$ curl http://localhost:10800/api/people -iv
* Host localhost:10800 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:10800...
*   Trying 127.0.0.1:10800...
* Connected to localhost (127.0.0.1) port 10800
* using HTTP/1.x
> GET /api/people HTTP/1.1
> Host: localhost:10800
> User-Agent: curl/8.11.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Jetty(12.0.15)
Server: Jetty(12.0.15)
< Date: Tue, 24 Dec 2024 19:52:10 GMT
Date: Tue, 24 Dec 2024 19:52:10 GMT
< Content-Type: application/json
Content-Type: application/json
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
<

[{"email":"a@b.com","firstName":"John","lastName":"Smith"}]

And here we are, we get the response with our hardcoded list of people, no surprises! I hope you would agree, the bootstrapping process is very simple and easy to follow. Even more, you could integrate SeBootstrap in your test suites as well, thanks to its flexible configuration capabilities, for example:

final SeBootstrap.Configuration configuration = SeBootstrap.Configuration
    .builder()
    // Use random free port
    .property(SeBootstrap.Configuration.PORT, SeBootstrap.Configuration.FREE_PORT)
    ...
    .build();
 
// Start the instance
final Instance instance = SeBootstrap
    .start(new JakartaRestfulApplication(), configuration)
    .toCompletableFuture()
    .join();
     
final SeBootstrap.Configuration actual = instance.configuration();
// Use actual.port(), actual.host(), ...
...
 
// Stop the instance
instance
    .stop()
    .toCompletableFuture()
    .join();

It is worth to mention that bootstrapping secure Jakarta RESTful Web Services using HTTPS protocol is also supported, for example:

final SeBootstrap.Configuration configuration = SeBootstrap.Configuration
    .builder()
    .property(SeBootstrap.Configuration.PROTOCOL, "https")
    .property(SeBootstrap.Configuration.PORT, 10843)
    .property(SeBootstrap.Configuration.ROOT_PATH, "/")
    .sslContext(SSLContext.getDefault()) /* or supply your own */
    .build();

The complete source code of the project is available on Github.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

Friday, October 11, 2024

JDK-23: the messenger?

It's been a little less than few weeks since JDK-23 was released and we have not covered it yet! To be fair, this is not a big deal, each new release gets more and more attention, but nonetheless! And while this one in particular may not be looking too exciting (well, mostly all the features are in preview), it is a messenger of what is coming next (and that is really thrilling).

Anyway, there are quite a few things that JDK-23 delivers.

JEP-474: ZGC: Generational Mode by Default: switches the default mode of the Z Garbage Collector (ZGC) to the generational mode. Deprecate the non-generational mode, with the intent to remove it in a future release.
JEP-467: Markdown Documentation Comments: enables JavaDoc documentation comments to be written in Markdown rather than solely in a mixture of HTML and JavaDoc @-tags.
To be fair, for many (myself included), writing the documentation in such a weird mix of HTML and @-tags was never a pleasant exercise. But Markdown is a game changer here: widely used and human friendly, it has all the potential to be adopted as a go-to documentation format for JVM.
JEP-471: Deprecate the Memory-Access Methods in sun.misc.Unsafe for Removal: deprecates the memory-access methods in sun.misc.Unsafe for removal in a future release. These unsupported methods have been superseded by standard APIs, namely the VarHandle API (JEP-193 delivered in JDK-9) and the Foreign Function & Memory API (JEP-454 delivered JDK-22).
JEP-476: Module Import Declarations (Preview): enhances the Java programming language with the ability to succinctly import all of the packages exported by a module. This simplifies the reuse of modular libraries, but does not require the importing code to be in a module itself. This is a preview language feature.
This is more of usability feature that replaces mass imports with a single line, for example:

?
1
import module java.base;

But taking into account relatively limited adoption of the JPMS, its usefulness is a bit unclear at the moment.
JEP-455: Primitive Types in Patterns, instanceof, and switch (Preview): enhances pattern matching by allowing primitive type patterns in all pattern contexts, and extend instanceof and switch to work with all primitive types. This is a preview language feature.
The work under this JEP lifts off one of the JEP-411 (that was delivered in JDK-21) restrictions and allows using primitive types in instanceof and switch statements and/or expressions, for example:

final Object obj = ... ; 
var o = switch (obj) {
    case null ->  ... ;
    case String s -> ... ;
    case byte b -> ... ;
    case int[] a -> ... ;
    default ->  ... ;
}

JEP-466: Class-File API (Second Preview): refinements over JEP-457 that was delivered in JDK-22.
JEP-469: Vector API (Eighth Incubator): refinements over JEP-460 that was delivered in JDK-22.
JEP-473: Stream Gatherers (Second Preview): refinements over JEP-461 that was delivered in JDK-22.
JEP-477: Implicitly Declared Classes and Instance Main Methods (Third Preview): refinements over JEP-463 that was delivered in JDK-22.
JEP-480: Structured Concurrency (Third Preview): refinements over JEP-462 that was delivered in JDK-22.
JEP-481: Scoped Values (Third Preview): refinements over JEP-464 that was delivered in JDK-22.
JEP-482: Flexible Constructor Bodies (Second Preview): refinements over JEP-447 that was delivered in JDK-22.

Along with the new features, there are some disruptive changes as well, notably:

JDK-8325568: Remove legacy locale data (COMPAT, JRE) from the JDK: removes legacy locale data. As the result, setting java.locale.providers system property to JRE or COMPAT (e.g., java -Djava.locale.providers=JRE,CLDR ... or java -Djava.locale.providers=COMPAT,CLDR ...) will have no effect (ignored). Check please Unicode in JDK 23: Removal of COMPAT Locale Provider for more details.
JDK-8296244: Alternate implementation of user-based authorization Subject APIs that doesn’t depend on Security Manager APIs: in the implementation of Subject.current() and Subject.doAs(), replaces the dependencies on AccessController/AccessControlContext (which are deprecated for removal) with scoped values (see JEP-446).
In scope of this change, the terminally deprecated method Subject.getSubject(AccessControlContext) has been respecified to throw UnsupportedOperationException if invoked when a Security Manager is not allowed. Check please JDK23: Re-Specified Subject.getSubject API for more details.
JDK-8341127: Extra call to MethodHandle::asType from memory segment var handles fails to inline: a misfortunate performance regression has slipped into JDK-23 release when using memory segment var handles.
The following methods have been removed from java.lang.Thread class:
- void resume()
- void suspend()
Consequently, the following methods have been removed from java.lang.ThreadGroup class:
- void resume()
- void suspend()
- void stop()
The javax.management.remote.rmi.RMIConnector lost one method as part of JDK-8326666: Remove the Java Management Extension (JMX) Subject Delegation feature:
- MBeanServerConnection getMBeanServerConnection(javax.security.auth.Subject subject)
JDK-8318966: Some methods make promises about Java array element alignment that are too strong removes the following methods:
- java.lang.invoke.MethodHandles::byteArrayViewVarHandle
- java.lang.invoke.MethodHandles::byteBufferViewVarHandle
- java.nio.ByteBuffer::alignedSlice
- java.nio.ByteBuffer::alignmentOffset
JDK-8330005: RandomGeneratorFactory.getDefault() throws exception when the runtime image only has java.base module: moves all random generators mandated in package java.util.random and currently implemented in module jdk.random to module java.base, and removes module jdk.random.
JDK-6968351: httpserver clashes with delayed TCP ACKs for low Content-Length: avoids immediately sending response headers if chunked mode is selected or if the response has a body.

On the bright side, there are a number of enhancements, bug fixes, tooling and GC improvements that are worth mentioning:

JDK-8326908: DecimalFormat::toPattern throws OutOfMemoryError when pattern is empty string: for java.text.DecimalFormat created with an empty String pattern, the value returned by java.text.DecimalFormat::getMaximumFractionDigits will now be 340, instead of the previous value, Integer.MAX_VALUE.
JDK-8319548: Unexpected internal name for Filler array klass causes error in VisualVM: adds the [ array bracket, and renames the element name to not have Array inside to not try to pretend that the element is some other kind of array.
JDK-8331048: G1: Prune rebuild candidates based on G1HeapWastePercent early: reduces the rebuild time in cases where pruning happens.
JDK-8327452: G1: Improve scalability of Merge Log Buffers: reduces contention on the dirty card queue set (DCQS).
JDK-8280087: G1: Handle out-of-mark stack situations during reference processing more gracefully: allows for growing the marking stack without the need to copy over elements.
JDK-8329203: Parallel: Investigate Mark-Compact for Full GC to decrease memory usage: transitions to the mark-compact algorithm (the same one used in Serial/G1 full-GC) that mitigates the memory footprint and bring it more in line with other garbage collectors.
JDK-8325553: Parallel: Use per-marker cache for marking stats during Full GC: adds cache to avoid too much contentious writes to global marking stats.
JDK-8275338: Add JFR events for notable serialization situations: adds serialization misdeclaration events to JFR.
JDK-8319551: Regressions >10% in some JFR Startups: fixes regression introduced in JDK-22, making startup times comparable to JDK-21.
JDK-8324665: Loose matching of space separators in the lenient date/time parsing mode: implements CLDR loose matching on parsing in DateFormat/DateTimeFormatter.
JDK-8332154: Memory leak in SynchronousQueue: SynchronousQueue sometimes appears in a state where it has only request nodes (i.e. it is empty) and a reference to an item it stored before.
JDK-8330542: Template for Creating Strict JAXP Configuration File: adds a template for users to create custom JAXP configuration files, that can then be used to test and verify the readiness of their applications before the JDK's eventual switch to a more secure configuration by default: jaxp-strict.properties.template.

The changes on the standard library API side are quite moderate:

The true gem of JDK-23 is brand new utility class java.lang.runtime.ExactConversionsSupport that helps to test if conversion of a value is exact (it yields a result without loss of information or throwing an exception).
The java.io.Console class has gained a lot of new methods under JDK-8330276 Console methods with explicit Locale:
A sealed interface java.lang.foreign.MemorySegment was enriched with one new method:
- long maxByteAlignment()
An interface java.lang.foreign.SymbolLookup had one new default method:
- default MemorySegment findOrThrow(String name)
An abstract class java.text.NumberFormat got some new functionality:
- boolean isStrict()
- void setStrict(boolean strict)
Consequently, its subclasses java.text.CompactNumberFormat, java.text.DecimalFormat and java.text.ChoiceFormat inherited (and implemented) these new APIs as well.
An old java.net.Inet4Address class also got one new factory method:
- static Inet4Address ofPosixLiteral(String posixIPAddressLiteral)
Quite useful enhancement went into java.time.Instant class as part of JDK-8331202: Support for Duration until another Instant:
- Duration until(Instant endExclusive)
The class javax.tools.SimpleJavaFileObject was empowered with a new factory method:
- static JavaFileObject forSource(URI uri, String content)

On the final note, it is good time to go over some security related updates that were introduced into JDK-23 (for more details, please check JDK 23 Security Enhancements):

JDK-8330108: Increase CipherInputStream buffer size: increases buffer size in CipherInputStream from 512 bytes to 8192 bytes.
JDK-8328638: Fallback option for POST-only OCSP requests: introduces a new JDK system property com.sun.security.ocsp.useget to allow clients to fallback to POST-only behavior: -Dcom.sun.security.ocsp.useget={false,true} (the default value is true).
JDK-8051959: Add thread and timestamp options to java.security.debug system property: improves the java.security.debug output so that options exist to add thread ID, thread name, source of log record and a timestamp information to the output.

If anything, JDK-23 is a solid release, ready for prime time. From the changes perfective, it looks low risk as well, so if you skipped JDK-22 for some reasons, JDK-23 may be the one.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

Friday, August 30, 2024

Apache CXF at speed of ... native!

GraalVM has been around for quite a while, steadily making big waves in OpenJDK community (looking at you, JEP 483: Ahead-of-Time Class Loading & Linking). It is wonderful piece of JVM engineering that gave birth to new generation of the frameworks like Quarkus, Helidon and Micronaut, just to name a few.

But what about the old players, like Apache CXF? A large number of applications and services were built on top of it, could those benefit from GraalVM, and particularly native image compilation? The answer to this question used to vary a lot, but thanks to steady progress, GraalVM strives to make it as frictionless as possible.

In today's post, we are going to build a sample Jakarta RESTful web service using Apache CXF and Jakarta XML Binding, and compile it to native image with GraalVM Community 21.0.2+13.1.

Let us start off with the data model, which consists of a single POJO, class Customer.

import jakarta.xml.bind.annotation.XmlRootElement;
 
@XmlRootElement(name = "Customer")
public class Customer {
    private long id;
    private String name;
 
    public long getId() {
        return id;
    }
 
    public void setId(long id) {
        this.id = id;
    }
 
    public String getName() {
        return name;
    }
 
    public void setName(String name) {
        this.name = name;
    }
}

The class CustomerResource, a minimal Jakarta RESTful web service implementation, exposes a few endpoints to manage Customers, for simplicity - the state is stored in memory.

import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
 
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.Response.Status;
 
@Path("/")
@Produces(MediaType.APPLICATION_XML)
public class CustomerResource {
    private final AtomicInteger id = new AtomicInteger();
    private final Map<Long, Customer> customers = new HashMap<>();
 
    @GET
    @Path("/customers")
    public Collection<Customer> getCustomers() {
        return customers.values();
    }
 
    @GET
    @Path("/customers/{id}")
    public Response getCustomer(@PathParam("id") long id) {
        final Customer customer = customers.get(id);
        if (customer != null) {
            return Response.ok(customer).build();
        } else {
            return Response.status(Status.NOT_FOUND).build();
        }
    }
 
    @POST
    @Path("/customers")
    public Response addCustomer(Customer customer) {
        customer.setId(id.incrementAndGet());
        customers.put(customer.getId(), customer);
        return Response.ok(customer).build();
    }
 
    @DELETE
    @Path("/customers/{id}")
    public Response deleteCustomer(@PathParam("id") long id) {
        if (customers.remove(id) != null) {
            return Response.noContent().build();
        } else {
            return Response.status(Status.NOT_FOUND).build();
        }
    }
}

The last piece we need is to have running web container to host the CustomerResource service. We are going to use Eclipse Jetty but any other HTTP transport supported by Apache CXF will do the job.

import org.apache.cxf.jaxrs.JAXRSServerFactoryBean;
import org.apache.cxf.jaxrs.lifecycle.SingletonResourceProvider;
 
public class Server {
    public static org.apache.cxf.endpoint.Server create() {
        final JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
        sf.setResourceClasses(CustomerResource.class);
        sf.setResourceProvider(CustomerResource.class, new SingletonResourceProvider(new CustomerResource()));
        sf.setAddress("http://localhost:9000/");
        return sf.create();
    }
     
    public static void main(String[] args) throws Exception {
        var server = create();
        server.start();
    }
}

Literally, this is all we need from the implementation perspective. The Apache Maven dependencies list is limited to handful of those:

<dependencies>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-transports-http</artifactId>
        <version>4.0.5</version>
    </dependency>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-transports-http-jetty</artifactId>
        <version>4.0.5</version>
    </dependency>
    <dependency>
        <groupId>org.apache.cxf</groupId>
        <artifactId>cxf-rt-frontend-jaxrs</artifactId>
        <version>4.0.5</version>
    </dependency>
    <dependency>
        <groupId>ch.qos.logback</groupId>
        <artifactId>logback-classic</artifactId>
        <version>1.5.7</version>
    </dependency>
</dependencies>

Cool, so what is next? The GraalVM project provides Native Build Tools to faciliate building native images, including dedicated Apache Maven plugin. However, if we just add the plugin into the build, the resulting native image won't be functionable, even if the build succeeds:

$./target/cxf-jax-rs-graalvm-server

Exception in thread "main" java.lang.ExceptionInInitializerError
        at java.base@21.0.2/java.lang.Class.ensureInitialized(DynamicHub.java:601)
        at com.example.jaxrs.graalvm.Server.create(Server.java:27)
        at com.example.jaxrs.graalvm.Server.main(Server.java:35)
        at java.base@21.0.2/java.lang.invoke.LambdaForm$DMH/sa346b79c.invokeStaticInit(LambdaForm$DMH)
Caused by: java.util.MissingResourceException: Can't find bundle for base name org.apache.cxf.jaxrs.Messages, locale en
        at java.base@21.0.2/java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:2059)
        at java.base@21.0.2/java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1697)
        at java.base@21.0.2/java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1600)
        at java.base@21.0.2/java.util.ResourceBundle.getBundle(ResourceBundle.java:1283)
        at org.apache.cxf.common.i18n.BundleUtils.getBundle(BundleUtils.java:94)
        at org.apache.cxf.jaxrs.AbstractJAXRSFactoryBean.<clinit>(AbstractJAXRSFactoryBean.java:69)
        ... 4 more

Why is that? GraalVM operates under closed world assumption: all classes and all bytecodes that are reachable at run time must be known at build time. Since a majority of the frameworks, Apache CXF included, does not comply with such assumptions, GraalVM needs some help: tracing agent. The way we are going to let GraalVM capture all necessary metadata is pretty straightforward:

add test cases which exercise the service logic (more is better)
run test suite using tracing agent instrumentation
build the native image using the metadata collected by the tracing agent

If that sounds like a plan to you, let us add the test case first:

import java.io.InputStream;
import java.io.IOException;
 
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
 
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.client.Entity;
import jakarta.ws.rs.core.Response;
 
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.MatcherAssert.assertThat;
 
public class ServerTest {
    private org.apache.cxf.endpoint.Server server;
     
    @BeforeEach
    public void setUp() {
        server = Server.create();
        server.start();
    }
     
    @Test
    public void addNewCustomer() throws IOException {
        var client = ClientBuilder.newClient().target("http://localhost:9000/customers");
        try (InputStream in = getClass().getResourceAsStream("/add_customer.xml")) {
            try (Response response = client.request().post(Entity.xml(in))) {
                assertThat(response.getStatus(), equalTo(200));
            }
        }
    }
 
    @Test
    public void listCustomers() {
        var client = ClientBuilder.newClient().target("http://localhost:9000/customers");
        try (Response response = client.request().get()) {
            assertThat(response.getStatus(), equalTo(200));
        }
    }
 
    @AfterEach
    public void tearDown() {
        server.stop();
        server.destroy();
    }
}

Awesome, with tests in place, we could move on and integrate Native Build Tools into our Apache Maven build. It is established practice to have a dedicated profile for native image since the process could take quite a lot of time (and resources):

<profiles>
    <profile>
        <id>native-image</id>
        <activation>
            <property>
                <name>native</name>
            </property>
        </activation>
        <build>
            <plugins>
                <plugin>
                    <groupId>org.graalvm.buildtools</groupId>
                    <artifactId>native-maven-plugin</artifactId>
                    <extensions>true</extensions>
                    <version>0.10.2</version>
                    <executions>
                        <execution>
                            <goals>
                                <goal>compile-no-fork</goal>
                            </goals>
                            <phase>package</phase>
                        </execution>
                    </executions>
                    <configuration>
                        <agent>
                            <enabled>true</enabled>
                            <defaultMode>direct</defaultMode>
                            <modes>
                                <direct>config-output-dir=${project.build.directory}/native/agent-output</direct>
                            </modes>
                        </agent>
                        <mainClass>com.example.jaxrs.graalvm.Server</mainClass>
                        <imageName>cxf-jax-rs-graalvm-server</imageName>
                        <buildArgs>
                            <buildArg>--enable-url-protocols=http</buildArg>
                            <buildArg>--no-fallback</buildArg>
                            <buildArg>-Ob</buildArg>
                        </buildArgs>
                        <metadataRepository>
                            <enabled>false</enabled>
                        </metadataRepository>
                        <resourcesConfigDirectory>${project.build.directory}/native</resourcesConfigDirectory>
                    </configuration>
                </plugin>
            </plugins>
        </build>
    </profile>
</profiles>

It may look a bit complicated but fear not. The first thing to notice is that we configure tracing agent in the <agent> ... </agent> section. The captured metadata is going to be dumped into ${project.build.directory}/native/agent-output folder. Later on, the native image builder will refer to it as part of the <resourcesConfigDirectory> ... </resourcesConfigDirectory> configuration option. The profile is activated by the presence of native property.

Time to see each step in action! First thing first, run tests and capture the metadata:

$ mvn clean -Dnative test

...

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  6.977 s
[INFO] Finished at: 2024-08-30T15:50:55-04:00
[INFO] ------------------------------------------------------------------------

If we list the content of the target/native folder, we should see something like that:

$ tree target/native/

target/native/
└── agent-output
    ├── agent-extracted-predefined-classes
    ├── jni-config.json
    ├── predefined-classes-config.json
    ├── proxy-config.json
    ├── reflect-config.json
    ├── resource-config.json
    └── serialization-config.json

If curious, you could inspect the content of each file, since it is just JSON, but we are going to proceed to the next step right away:

$ mvn -Dnative -DskipTests package

GraalVM Native Image: Generating 'cxf-jax-rs-graalvm-server' (executable)...
========================================================================================================================
Warning: Could not resolve org.junit.platform.launcher.TestIdentifier$SerializedForm for serialization configuration.
Warning: Could not resolve org.junit.platform.launcher.TestIdentifier$SerializedForm for serialization configuration.
[1/8] Initializing...                                                                                    (5.7s @ 0.10GB)
 Java version: 21.0.2+13, vendor version: GraalVM CE 21.0.2+13.1
 Graal compiler: optimization level: b, target machine: x86-64-v3
 C compiler: gcc (linux, x86_64, 9.4.0)
 Garbage collector: Serial GC (max heap size: 80% of RAM)
 2 user-specific feature(s):
 - com.oracle.svm.thirdparty.gson.GsonFeature
 - org.eclipse.angus.activation.nativeimage.AngusActivationFeature
------------------------------------------------------------------------------------------------------------------------
Build resources:
 - 9.99GB of memory (64.5% of 15.49GB system memory, determined at start)
 - 16 thread(s) (100.0% of 16 available processor(s), determined at start)
[2/8] Performing analysis...  [*****]                                                                   (31.2s @ 1.59GB)
   12,363 reachable types   (85.2% of   14,503 total)
   21,723 reachable fields  (63.2% of   34,385 total)
   61,933 reachable methods (57.6% of  107,578 total)
    3,856 types,   210 fields, and 2,436 methods registered for reflection
       62 types,    69 fields, and    55 methods registered for JNI access
        4 native libraries: dl, pthread, rt, z
[3/8] Building universe...                                                                               (4.8s @ 1.85GB)
[4/8] Parsing methods...      [**]                                                                       (3.0s @ 1.16GB)
[5/8] Inlining methods...     [***]                                                                      (2.2s @ 1.35GB)
[6/8] Compiling methods...    [*****]                                                                   (25.4s @ 1.89GB)
[7/8] Layouting methods...    [***]                                                                      (6.2s @ 1.49GB)
[8/8] Creating image...       [***]                                                                      (7.5s @ 2.03GB)
  32.41MB (49.57%) for code area:    38,638 compilation units
  30.78MB (47.08%) for image heap:  325,764 objects and 152 resources
   2.19MB ( 3.35%) for other data
  65.38MB in total

...

========================================================================================================================
Finished generating 'cxf-jax-rs-graalvm-server' in 1m 26s.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:30 min
[INFO] Finished at: 2024-08-30T15:58:42-04:00
[INFO] ------------------------------------------------------------------------

And we should end up with a fully functional executable, let us make sure this is the case:

$ ./target/cxf-jax-rs-graalvm-server

Aug 30, 2024 4:03:22 PM org.apache.cxf.endpoint.ServerImpl initDestination
INFO: Setting the server's publish address to be http://localhost:9000/
16:03:22.987 [main] INFO  org.eclipse.jetty.server.Server -- jetty-11.0.22; built: 2024-06-27T16:27:26.756Z; git: e711d4c7040cb1e61aa68cb248fa7280b734a3bb; jvm 21.0.2+13-jvmci-23.1-b30
16:03:22.993 [main] INFO  o.e.jetty.server.AbstractConnector -- Started ServerConnector@5725648b{HTTP/1.1, (http/1.1)}{localhost:9000}
16:03:22.994 [main] INFO  org.eclipse.jetty.server.Server -- Started Server@1f9511a6{STARTING}[11.0.22,sto=0] @24ms
16:03:22.994 [main] INFO  o.e.j.server.handler.ContextHandler -- Started o.a.c.t.h.JettyContextHandler@375bd1b5{/,null,AVAILABLE}

If we open up another terminal window and run curl from the command line, we should be hitting the instance of our service and getting successful responses back:

$curl http://localhost:9000/customers -H "Content-Type: application/xml" -d @src/test/resources/add_customer.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Customer>
	<id>3</id>
    <name>Jack</name>
</Customer>

All the credits go to GraalVM team! Before we wrap up, you might be asking yourself if this the only way? And the short answer is "no": ideally, you should be able to add Native Build Tools and be good to go. The GraalVM Reachability Metadata Repository is the place that enables users of GraalVM native image to share and reuse metadata for libraries and frameworks in the Java ecosystem. Sadly, Apache CXF is not there just yet ... as many others.

The complete project sources are available on Github.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

Thursday, May 30, 2024

JDK release cadence and the pain of endless technical debt

The shiny new code you are writing today is the legacy one tomorrow: this is probably the only flaw that new JDK release cadence brings to the table. Well, with all the respect, this is the price to pay to keep up with the pace of innovation, right? Yes, but your mileage may vary ... a lot.

To put things in perspective, let us start with a few examples, all taken from the open-source projects under Apache Software Foundation umbrella. The first one we are going to look at is switch statements, typically used like that:

@Override
protected int nextChild() {
    ElementFrame<Node, Node> frame = getCurrentFrame();
    if (frame.currentChild == null) {
        content = getCurrentNode().getFirstChild();
    } else {
        content = frame.currentChild.getNextSibling();
    }
 
    frame.currentChild = content;
    switch (content.getNodeType()) {
        case Node.ELEMENT_NODE:
            return START_ELEMENT;
        case Node.TEXT_NODE:
            return CHARACTERS;
        case Node.COMMENT_NODE:
            return COMMENT;
        case Node.CDATA_SECTION_NODE:
            return CDATA;
        case Node.ENTITY_REFERENCE_NODE:
            return ENTITY_REFERENCE;
        case Node.PROCESSING_INSTRUCTION_NODE:
            return PROCESSING_INSTRUCTION;
        default:
            throw new IllegalStateException("Found type: " + content.getClass().getName());
    }
}

Is it something you would type these days on modern JDK (and by modern, I would safely assume at least JDK-21), that has JEP-361: Switch Expressions incorporated? I doubt that, the switch expression is much better fit here:

@Override
protected int nextChild() {
    ElementFrame<Node, Node> frame = getCurrentFrame();
    if (frame.currentChild == null) {
        content = getCurrentNode().getFirstChild();
    } else {
        content = frame.currentChild.getNextSibling();
    }
 
    frame.currentChild = content;
    return switch (content.getNodeType()) {
        case Node.ELEMENT_NODE -> START_ELEMENT;
        case Node.TEXT_NODE -> CHARACTERS;
        case Node.COMMENT_NODE -> COMMENT;
        case Node.CDATA_SECTION_NODE -> CDATA;
        case Node.ENTITY_REFERENCE_NODE -> ENTITY_REFERENCE;
        case Node.PROCESSING_INSTRUCTION_NODE -> PROCESSING_INSTRUCTION;
        default -> throw new IllegalStateException("Found type: " + content.getClass().getName());
    };
}

If that is not convincing, another example would clear any doubts up. Here we have quite straightforward SimplePrincipal class (data class as we would normally call such classes):

public class SimplePrincipal implements Principal, Serializable {
    private static final long serialVersionUID = -5171549568204891853L;
 
    private final String name;
 
    public SimplePrincipal(String name) {
        if (name == null) {
            throw new IllegalArgumentException("Principal name can not be null");
        }
        this.name = name;
    }
 
    public String getName() {
        return name;
    }
 
    public boolean equals(Object obj) {
        if (!(obj instanceof SimplePrincipal)) {
            return false;
        }
 
        return name.equals(((SimplePrincipal)obj).name);
    }
 
    public int hashCode() {
        return name.hashCode();
    }
 
    public String toString() {
        return name;
    }
}

With the record classes, introduced by JEP 395: Records, we have much better tool at our disposal to model data classes:

public record SimplePrincipal(String name) implements Principal, Serializable {
    public SimplePrincipal {
        if (name == null) {
            throw new IllegalArgumentException("Principal name can not be null");
        }
    }
     
    @Override
    public String getName() {
        return name;
    }
}

The reduction in boilerplate code required is just astonishing. The next power feature (that could be actually used along with records) we are going to look at is sealed classes, interfaces and records, introduced by JEP 409: Sealed Classes. To showcase it, let us take a look at this (simplified) hierarchy of classed:

/**
 * This class is the base class for SSL/TLS parameters that are common
 * to both client and server sides.
 */
public class TLSParameterBase {
    protected static final Collection<String> DEFAULT_HTTPS_PROTOCOLS = 
        Arrays.asList(
            "TLSv1", 
            "TLSv1.1", 
            "TLSv1.2", 
            "TLSv1.3"
        ); 
         
    // Other members
}
 
/**
 * This class extends {@link TLSParameterBase} with client-specific
 * SSL/TLS parameters.
 *
 */
public class TLSClientParameters extends TLSParameterBase {
   // TLSClientParameters class members
}
 
/**
 * This class extends {@link TLSParameterBase} with service-specific
 * SSL/TLS parameters.
 *
 */
public class TLSServerParameters extends TLSParameterBase {
   // TLSServerParameters class members
}

The problem with such design is that anyone could subclass TLSParameterBase (yes, we could make it package private but that would lead to inability to reference it outside of the package), violating the designer's invariants that only server and client ones are expected to exist.

/**
 * This class is the base class for SSL/TLS parameters that are common
 * to both client and server sides.
 */
public sealed class TLSParameterBase permits TLSClientParameters, TLSServerParameters {
    protected static final Collection<String> DEFAULT_HTTPS_PROTOCOLS = 
        Arrays.asList(
            "TLSv1", 
            "TLSv1.1", 
            "TLSv1.2", 
            "TLSv1.3"
        ); 
         
    // Other members
}
 
/**
 * This class extends {@link TLSParameterBase} with client-specific
 * SSL/TLS parameters.
 *
 */
public final class TLSClientParameters extends TLSParameterBase {
   // TLSClientParameters class members
}
 
/**
 * This class extends {@link TLSParameterBase} with service-specific
 * SSL/TLS parameters.
 *
 */
public final class TLSServerParameters extends TLSParameterBase {
   // TLSServerParameters class members
}

The new sealed keyword at the TLSParameterBase class declaration level along with permits clause solves this design flaw once and for all (we could have pushed the refactoring even further and convert TLSParameterBase to record).

Let us move on to a slightly different subject: XML/JSON/YAML/(you name it) as Java Strings.

public class RequestParserUnitTest {
    private static final String USE_KEY_X509_REFERENCE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
        + "<wst:RequestSecurityToken xmlns:wst=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
        + "<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>"
        + "<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issuelt;/wst:RequestType>"
        + "<wst:UseKey>"
        + "<wsse:SecurityTokenReference "
        + "xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">"
        + "<wsse:Reference URI=\"#x509\">lt;/wsse:Reference>lt;/wsse:SecurityTokenReference>"
        + "</wst:UseKey>"
        + "</wst:RequestSecurityToken>";
         
    // Other members      
}

Admittedly, it looks messy and unmanageable (write once, never touch again). More to that, since this is the unit test case, troubleshooting any failing test cases caused by XML/JSON/... changes is a nightmare. How about using text blocks (multi-line strings) instead, the gem brought to Java language by https://openjdk.org/jeps/378:

public class RequestParserUnitTest {
    private static final String USE_KEY_X509_REFERENCE = """
            <?xml version="1.0" encoding="UTF-8"?>"
            <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
               <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
               <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
               <wst:UseKey>
                  <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                      <wsse:Reference URI="#x509"></wsse:Reference>
                  </wsse:SecurityTokenReference>
              </wst:UseKey>
          </wst:RequestSecurityToken>
      """;
 
    // Other members      
}

Although the usage of instanceof is often considered as an anti-pattern (and lack of proper design), it is pervasive and sneaks into most (if not all) Java codebases.

public static Long getLong(Message message, String key) {
    Object o = message.getContextualProperty(key);
    if (o instanceof Long) {
        return (Long)o;
    } else if (o instanceof Number) {
        return ((Number)o).longValue();
    } else if (o instanceof String) {
        return Long.valueOf(o.toString());
    }
    return null;
}

The introduction of JEP 394: Pattern Matching for instanceof did at least make the instanceof constructs less verbose and more readable:

public static Long getLong(Message message, String key) {
    Object o = message.getContextualProperty(key);
    if (o instanceof Long l) {
        return l;
    } else if (o instanceof Number n) {
        return n.longValue();
    } else if (o instanceof String s) {
        return Long.valueOf(s);
    }
    return null;
}

If we want to make it even more compact, switch expression could help us once again, thanks to enhancements introduced by JEP 441: Pattern Matching for switch:

public static Long getLong(Message message, String key) {
    return switch (message.getContextualProperty(key)) {
        case Long l -> l;
        case Number n ->  n.longValue();
        case String s -> Long.valueOf(s);
        default -> null;
    };
}

The Java language is changing fast, some may say very fast (and we haven't even talked about JVM and standard library changes!). That brings a lot of benefits but at the same time, poses many challenges. Thankfully, the strict compatibility policy that Java language designers prioritize over everything else means that you don't need to rewrite your code, it will still work. It just becomes legacy ... it becomes yet another kind of technical debt to pay ...

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

Saturday, March 23, 2024

JDK-22: The JNI's grave?

Another six months passed and it is about time for a new JDK release: without further ado, please meet JDK-22. The theme of this release is obviously Foreign Function & Memory API that becomes generally available after numerous preview cycles. So what else is there?

JEP-454: Foreign Function & Memory API: introduces an API by which Java programs can interoperate with code and data outside of the Java runtime. By efficiently invoking foreign functions (i.e., code outside the JVM), and by safely accessing foreign memory (i.e., memory not managed by the JVM), the API enables Java programs to call native libraries and process native data without the brittleness and danger of JNI.

By all means, Foreign Function & Memory API (or FFM shortly), was eagerly awaited. For a long time JNI was the only mechanism to access native code on JVM and it has gained pretty infamous reputation of being brittle and outdated. FFM has emerged as a (substantially) better alternative and, after many rounds of previews, the API is finalized in JDK-22.
JEP-423: Region Pinning for G1: reduces latency by implementing region pinning in G1, so that garbage collection need not be disabled during Java Native Interface (JNI) critical regions.

JEP-456: Unnamed Variables & Patterns: enhances the Java programming language with unnamed variables and unnamed patterns, which can be used when variable declarations or nested patterns are required but never used. Both are denoted by the underscore character, _.

To be fair, the positive impact of this small language change on the readability of Java programs is paramount. Familiar to Scala developers for years, it is here for Java developers now.

if (content instanceof String s && s.startsWith("{")) {
    parseJson(s);
} else if (content instanceof String s && s.startsWith("<")) {
    parseXml(s);
} else if (content instanceof String _) {
    throw new IllegalArgumentException("The content type is not detected");
};

It becomes even more evident with records:

sealed interface Response permits NoContentResponse, ContentResponse {}
record NoContentResponse(int status) implements Response {}
record ContentResponse(int status, byte[] content) implements Response {}
 
public int status(final Response response) {
    return switch(response) {
        case NoContentResponse(var status) -> status;
        case ContentResponse(var status, _) -> status;
    };
}

And lamba functions:

1	`BiFunction<String, Number, String> f = (_, n) -> n.toString();`

JEP-458: Launch Multi-File Source-Code Programs: enhances the java application launcher to be able to run a program supplied as multiple files of Java source code. This will make the transition from small programs to larger ones more gradual, enabling developers to choose whether and when to go to the trouble of configuring a build tool.
This is a logical continuation of the JEP 330: Launch Single-File Source-Code Programs, delivered in JDK-11. With this change, Java could seriously challenge the status quo of the established scripting languages.

Couple of new and refined preview language features and APIs are also made into release, just briefly mentioning them here (and we would get back to them once finalized).

JEP-457: Class-File API (Preview): provides a standard API for parsing, generating, and transforming Java class files. This is a preview API.
JEP-447: Statements before super(...) (Preview): in constructors in the Java programming language, allows statements that do not reference the instance being created to appear before an explicit constructor invocation. This is a preview language feature.
JEP-459: String Templates (Second Preview): enhances the Java programming language with string templates. String templates complement Java's existing string literals and text blocks by coupling literal text with embedded expressions and template processors to produce specialized results. This is a preview language feature and API.
JEP-460: Vector API (Seventh Incubator): introduces an API to express vector computations that reliably compile at runtime to optimal vector instructions on supported CPU architectures, thus achieving performance superior to equivalent scalar computations.
JEP-461: Stream Gatherers (Preview): enhances the Stream API to support custom intermediate operations. This will allow stream pipelines to transform data in ways that are not easily achievable with the existing built-in intermediate operations. This is a preview API.
JEP-462: Structured Concurrency (Second Preview): simplifies concurrent programming by introducing an API for structured concurrency. Structured concurrency treats groups of related tasks running in different threads as a single unit of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. This is a preview API.
JEP-463: Implicitly Declared Classes and Instance Main Methods (Second Preview): evolves the Java programming language so that students can write their first programs without needing to understand language features designed for large programs. Far from using a separate dialect of the language, students can write streamlined declarations for single-class programs and then seamlessly expand their programs to use more advanced features as their skills grow. This is a preview language feature.
JEP-464: Scoped Values (Second Preview): introduces scoped values, which enable managed sharing of immutable data both with child frames in the same thread, and with child threads. Scoped values are easier to reason about than thread-local variables and have lower space and time costs, especially when used in combination with Virtual Threads and Structured Concurrency. This is a preview API.

Every new JDK release comes with a long list of bugfixes, and in case of JDK-22, there are quite a few worth mentioning:

JDK-8318160: javac does not reject private method reference with type-variable receiver, which may break some existing code that inadvertently exploited this bug, for example:

import java.util.function.Function;
 
class Test {
    private String asString() {
        return "bar";
    }
 
    static <T extends Test> Function>T, String> foo() {
        return T::asString;
    }
} 

This code snippet won't compile in JDK-22 anymore since Test::asString is a private method.

JDK-8225377: type annotations are not visible to javac plugins across compilation boundaries: javac fails to associate type annotations with TypeMirrors for some symbols loaded from the classpath, which prevents plugins from accessing those annotations across compilation boundaries.
JDK-8324051: StringBuffer.repeat does not work correctly after toString() was called: when the method StringBuffer.repeat(CharSequence cs, int count) (or StringBuffer.repeat(int codePoint, int count)) is invoked with parameter count >= 2 after StringBuffer.toString() method was invoked, it does not append the given character sequence repeatedly to the string buffer as expected.
JDK-8323697: Running with -Djdk.tracePinnedThreads set can hang: the "hangs" stem from the onPinned method executing while the virtual thread is in a transition state (typically parking).
JDK-8323430: Heap dump contains duplicate thread records for mounted virtual threads: for mounted virtual threads HeapDumper dumps 2 HPROF_GC_ROOT_THREAD_OBJ subrecords, one of them refers to actual stack trace/stack references, another one has empty stack trace.
JDK-8322863: Thread::getStackTrace can fail with InternalError if virtual thread is timed-parked when pinned: VirtualThread::tryGetStackTrace doesn't handle the TIMED_PINNED state so it's possible for Thread::getStackTrace() to throw InternalError when invoked on a virtual thread that quickly transitions from unmounted to timed-park-while-pinned.
JDK-8320145: Compiler should accept final variable in Record Pattern: according to chapter 14.30.1 of the Java Language Specification, final is allowed (without final, mutating the pattern variable is valid).
JDK-8319330: ExecutableElement.getReceiverType doesn't return receiver types for methods loaded from bytecode: updates javac's implementation of ExecutableElement::getReceiverType() and ExecutableType::getReceiverType() to allow accessing type use annotations on receiver types for methods loaded from bytecode.
JDK-8318492: Http2ClientImpl should attempt to close and remove connection in stop(): ensures removal of the connection from the pool in cases where the connection is shutdown by an exception, reset, etc.
JDK-8323662: LinkedTransferQueue add and put methods call overridable offer: fixes the regression introduced by JDK-8301341 that resulted in LinkedTransferQueue::put(E e) and LinkedTransferQueue::add(E e) calling overridable LinkedTransferQueue::offer(E e) (the regression caused quite a pain for Elasticsearch and OpenSearch users).
JDK-8321220: JFR: RecordedClass reports incorrect modifiers: The modifiers value reported by RecordedClass::getModifiers() doesn't match the modifiers value provided by Class::getModifiers().

Moving off from bugs and regressions, let us take a look at the interesting new features that JDK-22 delivers across the board:

JDK-8211238: @Deprecated JFR event: adds an event to help users detect their use of deprecated methods.
JDK-8317562: [JFR] Compilation queue statistics: adds a new periodic event to monitor and output statistics for the compiler queues.
JDK-8296246: Support Unicode 15.1: adds support of the Unicode Standard version 15.1.0.
JDK-8305753: Allow JIT compilation for -Xshare:dump: makes it possible for the user to enable the JIT compiler during the CDS dump by specifying -Xshare:dump -Xmixed.
JDK-8285368: Overhaul doc-comment inheritance: an umbrella for a number of issues related to inheritance of doc comments.
JDK-8308593: TCP_KEEPxxxx Extended Socket Options Are Now Supported on the Windows Platform: adds the support of java.net.ExtendedSocketOptions TCP_KEEPIDLE and TCP_KEEPINTERVAL on Windows platforms starting from Windows 10 version 1709 and onwards, and TCP_KEEPCOUNT starting from Windows 10 version 1703 and onwards.
JDK-8318422: Allow poller threads be virtual threads: changes the Linux default poller to use virtual threads.
JDK-8310031: Parallel: Implement better work distribution for large object arrays in old gen: the Parallel GC workers limit work to their stripe and only process interesting parts of large object arrays.
JDK-8308591: JLine as the default Console provider: System::console() has changed to return a Console with enhanced editing features that improve the experience of programs that use the Console API.
JDK-8306819: Consider disabling the compiler's default active annotation processing: stops running annotation processors found on the class path by default (essentially changes annotation processing to be opt-in rather than opt-out). This is a follow up to JDK-8311073: Note if implicit annotation processing is being used (delivered in JDK-21) that began to issue a warning about implicit annotation processing.
JDK-8305104: The Old Core Reflection Implementation Has Been Removed: the new core reflection implementation has been the default since JDK-18 and the old implementation is now removed (respectively, the property -Djdk.reflect.useDirectMethodHandle=false to enable the old core reflection implementation becomes a no-op).

Last but not least, let us talk about the API changes (standard library) that went into this release.

JDK-8309196: Thread.countStackFrames Has Been Removed
JDK-8316160: sun.misc.Unsafe.shouldBeInitialized and ensureClassInitialized Are Removed
The java.io.Console got a new method:
- boolean isTerminal()
The java.lang.Class was also touched:
- static Class<?> forPrimitiveName(String primitiveName)
A hierarchy of java.net.InetAddress classes has one new method added:
There are three new constants added to java.nio.charset.StandardCharsets class:
The interface java.nio.file.Path was enhanced with two more (default) methods:
- default Path resolve(String first, String... more)
- default Path resolve(Path first, Path... more)
The class javax.xml.catalog.CatalogManager now has an alternative catalog resolution method:
- static CatalogResolver catalogResolver(Catalog catalog, CatalogResolver.NotFoundAction action)
In scope of JDK-8302987: Add uniform and spatially equidistributed bounded double streams to RandomGenerator, the java.util.random.RandomGenerator interface got a new (default) method:
- default DoubleStream equiDoubles(double left, double right, boolean isLeftIncluded, boolean isRightIncluded)
The java.util.concurrent.ForkJoinPool and java.util.concurrent.ForkJoinTask continue to improve the concurrency support in the standard library with a couple of new methods in scope of JDK-8288899: java/util/concurrent/ExecutorService/CloseTest.java failed with "InterruptedException: sleep interrupted" bugfix:
- In java.util.concurrent.ForkJoinPool:
  - <T> List<Future<T>> invokeAllUninterruptibly(Collection<? extends Callable<T>> tasks)
- In java.util.concurrent.ForkJoinTask:
  - static <T> ForkJoinTask<T> adaptInterruptible(Runnable runnable, T result)
  - static ForkJoinTask<?> adaptInterruptible(Runnable runnable)
As part of JEP-454: Foreign Function & Memory API, a whole new package java.lang.foreign.* was introduced into the standard library.
JDK-8041488: Locale-Dependent List Patterns brings probably one of the most interesting additions to the standard library, in the form of a new class java.text.ListFormat, that formats or parses a list of strings in a locale-sensitive way. For example, the following snippet:

?
1
2
3
ListFormat
.getInstance(Locale.US, ListFormat.Type.STANDARD, ListFormat.Style.FULL)
.format(List.of("Monday", "Tuesday", "Wednesday"))

would produce a formatted string:
```
    Monday, Tuesday, or Wednesday
    
```

From the security perspective, there are couple of notable changes to highlight (but please, do not hesitate to check out JDK 22 Security Enhancements for more details):

JDK-8318096: Introduce AsymmetricKey interface with a getParams method: adds new interface java.security.AsymmetricKey to the Java standard library.
JDK-8311596: Add separate system properties for TLS server and client for maximum chain length: provides new system properties: jdk.tls.client.maxInboundCertificateChainLength (when in client side, it enforces a maximum certificate chain length accepted from servers) and jdk.tls.server.maxInboundCertificateChainLength (when in server side, it enforces a maximum certificate chain length accepted from clients).

JDK-8281658: Add a security category to the java -XshowSettings option: adds a security category to the java's -XshowSettings option to show settings related to security.

  $ java -XshowSettings:security
  $ java -XshowSettings:security:all
  $ java -XshowSettings:security:properties
  $ java -XshowSettings:security:providers
  $ java -XshowSettings:security:tls

To finish up, it will be useful to mention a few regressions that ended up in JDK-22 release, the fixes are already scheduled for the upcoming major or patch releases:

JDK-8325605: Regression in round-tripping UTF-16 strings after JDK-8311906: strings read with java.nio.file.Files::readString may return incorrect strings when decoding with a charset other than US-ASCII, ISO08859-1, or UTF-8.
JDK-8327860: Java processes get killed, leaving no hs_err/stack trace on macOS 14.4: pretty nasty issue with macOS 14.4 that is affecting all Java versions from JDK 8 to 22 (for more details, please read this announcement Java users on macOS 14 running on Apple silicon systems should consider delaying the macOS 14.4 update from Oracle).
JDK-8319551: Regressions >10% in some JFR Startups: a noticeable increase in startup time can be observed when using the -XX:StartFlightRecording option with smaller applications.

Some may say that JDK-22 is a boring release, but I personally disagree: FFM APIs and formalizing _ usage are all but not boring features.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

Andriy Redko {devmind}

Wednesday, March 26, 2025

JDK-24: the death of SecurityManager

Thursday, December 26, 2024

Simple is finally easy: bootstrapping JAX-RS applications in Java SE environments

Friday, October 11, 2024

JDK-23: the messenger?

Friday, August 30, 2024

Apache CXF at speed of ... native!

Thursday, May 30, 2024

JDK release cadence and the pain of endless technical debt

Saturday, March 23, 2024

JDK-22: The JNI's grave?

Search This Blog

Blog Archive

My LinkedIn Profile

About Me

Followers

Total Pageviews

Andriy Redko {devmind}

Wednesday, March 26, 2025

JDK-24: the death of SecurityManager

Thursday, December 26, 2024

Simple is finally easy: bootstrapping JAX-RS applications in Java SE environments

Friday, October 11, 2024

JDK-23: the messenger?

Friday, August 30, 2024

Apache CXF at speed of ... native!

Thursday, May 30, 2024

JDK release cadence and the pain of endless technical debt

Saturday, March 23, 2024

JDK-22: The JNI's grave?

Search This Blog

Blog Archive

My LinkedIn Profile

About Me

Followers

Subscribe To

Total Pageviews