JDK-8334569 : Add a tool like jdeprscan to find usage of restricted methods
  • Type: CSR
  • Component: tools
  • Priority: P3
  • Status: Draft
  • Resolution: Unresolved
  • Fix Versions: 24
  • Submitted: 2024-06-19
  • Updated: 2024-06-21
Related Reports
CSR :  
Description
Summary
-------

Provide a command-line tool that can be used to scan for occurrences of code that may access native functionalities, such as restricted method calls, or native method declarations.

Problem
-------

Since the FFM API was finalized in Java 22, as part of the push for 'integrity by default' (https://bugs.openjdk.org/browse/JDK-8305968), code using the restricted methods in the FFM API can face warning messages of the form:

```
WARNING: A restricted method in java.lang.foreign.MemorySegment has been called
WARNING: <restricted method> has been called by <caller class> in <module name>
WARNING: Use --enable-native-access=<module name> to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled
```

In the reference implementation, clients can then use the flag `--enable-native-access=<module name>`, as the warning message suggests, to grant a particular module access to restricted methods, thus silencing the warning.

However, it may be hard to determine ahead of time whether code in a jar file native code, because this fact is not documented, or because testing never covers the code path that uses a native functionality.

More warnings may be emitted in the future by the restriction of JNI: https://bugs.openjdk.org/browse/JDK-8307341 However, even if JNI is never restricted, a client may still want to know if a library they are using accesses native code.

Solution
--------

Add a static analysis tool, called `jnativescan`, which can be used to find restricted method calls and native method declarations, to indicate to users if code in jar files accesses native functionalities, and if so, which modules, classes and methods do so.

Specification
-------------

Copy of generated man page is attached.