JDK-26: incremental improvement

Time for celebration once again: the JDK-26 was released just a few days ago! Although from all perspectives this release looks like incremental improvement (not a feature fest), it is worth paying close attention to.

• JEP 500: Prepare to Make Final Mean Final: issues warnings about uses of deep reflection to mutate final fields. These warnings aim to prepare developers for a future release that ensures integrity by default by restricting final field mutation, which will make Java programs safer and potentially faster. Application developers can avoid both current warnings and future restrictions by selectively enabling the ability to mutate final fields where essential using --enable-final-field-mutation=module1,module2,... and --illegal-final-field-mutation=allow|warn}debug|deny command line arguments.

• JEP 516: Ahead-of-Time Object Caching with Any GC: enhances the ahead-of-time cache, which enables the HotSpot Java Virtual Machine to improve startup and warmup time, so that it can be used with any garbage collector, including the low-latency Z Garbage Collector (ZGC). Achieve this by making it possible to load cached Java objects sequentially into memory from a neutral, GC-agnostic format, rather than map them directly into memory in a GC-specific format.

  GC-specific cached objects are mapped directly into memory, while GC-agnostic cached objects are streamed into memory. You can explicitly create a cache whose objects are in the streamable, GC-agnostic format by specifying -XX:+AOTStreamableObjects.

• JEP 517: HTTP/3 for the HTTP Client API: updates the HTTP Client API to support the HTTP/3 protocol, so that libraries and applications can interact with HTTP/3 servers with minimal code change.

    var client = HttpClient
        .newBuilder()
        .version(HttpClient.Version.HTTP_3)
        .build();
    

  Interestingly, JDK does not provide HTTP/3 server implementation (yet), however Netty library, the de facto standard in Java ecosystem for implementing high performance protocol servers (and clients), is supporting HTTP/3 in 4.2 release line.

• JEP 522: G1 GC: Improve Throughput by Reducing Synchronization: increases application throughput when using the G1 garbage collector by reducing the amount of synchronization required between application threads and GC threads.

• JEP 504: Remove the Applet API: removes the Applet API, which was deprecated for removal in JDK 17. It is obsolete because neither recent JDK releases nor current web browsers support applets.

There are a few JEPs that made into JDK-26 as preview features, all of them are carried over from the previous JDK releases.

• JEP 524: PEM Encodings of Cryptographic Objects (2nd Preview): introduces an API for encoding objects that represent cryptographic keys, certificates, and certificate revocation lists into the widely-used Privacy-Enhanced Mail (PEM) transport format, and for decoding from that format back into objects. This is a preview API feature.

• JEP 525: Structured Concurrency (6th Preview): simplifies concurrent programming by introducing an API for structured concurrency. Structured concurrency treats groups of related tasks running in different threads as single units of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. This is a preview API feature.

• JEP 526: Lazy Constants (2nd Preview): introduces an API for lazy constants, which are objects that hold unmodifiable data. Lazy constants are treated as true constants by the JVM, enabling the same performance optimizations that are enabled by declaring a field final. Compared to final fields, however, lazy constants offer greater flexibility as to the timing of their initialization. This is a preview API feature.

  This feature used to be known as stable values (JDK-25) and was renamed to lazy constants to better capture its intended use cases.

• JEP 530: Primitive Types in Patterns, instanceof, and switch (4th Preview): enhances pattern matching by allowing primitive types in all pattern contexts, and extend instanceof and switch to work with all primitive types. This is a preview API feature.

• JEP 529: Vector API (11th Incubator): introduces an API to express vector computations that reliably compile at runtime to optimal vector instructions on supported CPUs, thus achieving performance superior to equivalent scalar computations.

Indeed, the list of JEPs is not very impressive, but it does not make JDK-26 less important. There are quite a lot of interesting fixes and improvements in this release.

• JDK-8369432: Add Support for JDBC 4.5 MR: the JDBC 4.5 MR is small update to the JDBC specification and may have an impact on compatibility with some driver implementations.

• JDK-8346944: Update Unicode Data Files to 17.0.0: supports the Unicode Standard version 17.0.

• JDK-8354548: Update CLDR to Version 48.0: upgrades the CLDR data in the JDK to version 48.0.

• JDK-8364993: JFR: Disable jdk.ModuleExport in default.jfc: some applications with lots of code can produce an enormous number of ModuleExport events and associated constant pool data.

• JDK-8364556: JFR: Disable SymbolTableStatistics and StringTableStatistics in default.jfc: there were reports of slow response time due to these two events.

• JDK-8365057: Add support for java.util.concurrent lock information to Thread.dump_to_file: the thread dump generated by the com.sun.management.HotSpotDiagnosticMXBean.dumpThreads(...) and the diagnostic command jcmd <pid> Thread.dump_to_file now includes information about park blocker owner for threads that are parked on java.util.concurrent.locks.AbstractOwnableSynchronizer objects.

• JDK-8212084: G1: Implement UseGCOverheadLimit: the G1 garbage collector now throws an OutOfMemoryError when the garbage collection overhead is more than GCTimeLimit percent (default value 98) and the free Java heap is less than GCHeapFreeLimit percent (default value 2) for five consecutive garbage collections. This feature is enabled by default and can be disabled using the -XX:-UseGCOverheadLimit command line option.

• JDK-8048180: G1: Eager reclaim of humongous objects with references: the G1 garbage collector now eagerly reclaims eligible humongous (very large objects that occupy more than half a heap region) objects containing references.

• JDK-8325467: Support methods with many arguments in C2: the C2 JIT compiler can now compile Java methods with a large number of parameters. Previously, C2 would attempt to compile such methods but bail out, causing the JVM to fall back to C1-compiled code or the interpreter.

• JDK-8366434: THP not working properly with G1 after JDK-8345655: fixes the regression introduced in JDK-25 where on systems configured with the Transparent Huge Pages (THP) mode as madvise, the option -XX:+UseTransparentHugePages does not enable huge pages when running with the default garbage collector G1. The issue preventing the option -XX:+UseTransparentHugePages from enabling THP has been resolved.

• JDK-8371986: Remove the default value of InitialRAMPercentage: removes the default value of InitialRAMPercentage. Now, if the user does not specify an initial Java heap size, the JVM sets the initial heap size to the minimum possible heap size, which equals to MinHeapSize. This improves startup performance for default JVM configurations by reducing internal memory initialization.

• JDK-8368740: Serial: Swap eden and survivor spaces position in young generation: if the heap is almost full, Serial GC will try everything to expand eden in order to satisfy the allocation request. This can cause eden size to grow beyond the limit determined by SurvivorRatio however the new behavior may avoid OutOfMemoryError's in very tight heap situations that would previously often lead to JVM termination.

• JDK-8364638: Refactor and make accumulated GC CPU time code generic: at VM exit -Xlog:cpu now prints a table breaking down VM CPU usage into components.

      [62.719s][info][cpu] === CPU time Statistics =============================================================
      [62.719s][info][cpu] CPUs
      [62.719s][info][cpu] s % utilized
      [62.719s][info][cpu] Process
      [62.719s][info][cpu] Total 410.2789 100.00 6.5
      [62.719s][info][cpu] Garbage Collection 124.8134 30.42 2.0
      [62.719s][info][cpu] GC Threads 124.5082 30.35 2.0
      [62.719s][info][cpu] VM Thread 0.3052 0.07 0.0
      [62.719s][info][cpu] =====================================================================================
      

• JDK-8359110: Log accumulated GC and process CPU time upon VM exit: adds support to log CPU cost for GC during VM exit with -Xlog:gc+cpu.

      [2,430s][info][gc,cpu] GC CPU usage: 22,87% (Process: 26,8926s GC: 6,1491s)
      

• JDK-8369346: Remove default value of and deprecate the MaxRAM flag: removes the default value of the MaxRAM flag so that it only has an effect if a user explicitly sets it; otherwise, ergonomic heap sizing will be based solely on physical memory reported by the operating system. Additionally, the MaxRAM flag should be deprecated.

• JDK-8370814: Deprecate AggressiveHeap: the AggressiveHeap flag, while intended to simplify JVM tuning for memory-intensive applications, introduces ambiguity and maintenance challenges, making it unsuitable as a general-purpose optimization option. The flag is deprecated for removal.

• JDK-8369238: Allow virtual thread preemption on some common class initialization paths: a virtual thread that tries to initialize a class already being initialized by another thread will now, in most cases, be unmounted from its carrier while waiting. Previously, the behavior was to pin the virtual thread to its carrier while waiting for the other thread to execute the class initializer.

• JDK-8366691: JShell should support a more convenient completion: enhances the JShell API with a support for more powerful code completion for JShell snippets, suitable for GUI applications.

• JDK-8330940: Impossible to create a socket backlog greater than 200 on Windows 8+: setting the connection backlog to a value greater than 200 in java.net.ServerSocket, java.nio.channels.ServerSocketChannel, and java.nio.channels.AsynchronousServerSocketChannel is now effective on Windows. Previously it was clamped at 200.

• JDK-8370057: Correct scale handling of BigDecimal.sqrt: changes the preferred scale of java.math.BigDecimal#sqrt to align with IEEE 754.

• JDK-8363972: Lenient parsing of minus sign pattern in DecimalFormat/CompactNumberFormat: the java.text.NumberFormat now allows implementations to parse the minus sign in negative patterns leniently when in lenient mode (java.text.NumberFormat#isStrict() returns false).

• JDK-8357653: Inner classes of type parameters emitted as raw types in signatures: fixes the issue when the code that names an inner class is erroneously classified as raw and as a result is erroneously rejected (example below).

    static abstract class Getters<T> {
        abstract class Getter {
            abstract T get();
        }
    }
  
    static class Usage<T, G extends Getters<T>> {
        public T test(G.Getter getter) {
            return getter.get();       // incompatible types: Object cannot be converted to T
        }
    }
    

• JDK-8369517: Compilation mismatch for equivalent lambda and method reference: fixes the Java compiler behavior when a capture conversion should be applied when deciding if a method reference is compatible with a given function type.

      interface Main {
        interface X>T< {
            X>T< self();
        }
  
        static X>?< makeX() {
            return null;
        }
  
        static >R< X>R< create(Supplier>? extends R< supplier) {
            return null;
        }
  
        static X>X>?<< methodRef() {
            return create(Main::makeX).self();
        }
  
        static X>X>?<< lambda() {
            return create(() -> makeX()).self(); // incompatible types: 
        }
    } 
      

• JDK-7105350: HttpExchange's attributes are the same as HttpContext's attributes: fixes an issue when the com.sun.net.httpserver.HttpExchange attribute map was shared with the enclosing com.sun.net.httpserver.HttpContext.

• JDK-8362561: Remove diagnostic option AllowArchivingWithJavaAgent: some old CDS tests cases use Java agents during java -Xshare:dump execution for injecting Java agents and require the diagnostic -XX:+AllowArchivingWithJavaAgent command line option which can sometimes be abused and produce undesirable side effects.

For more elaborate overview of GC changes, please refer to JDK 26 G1/Parallel/Serial GC changes blog post. Besides just JEP 517, the java.net.http.HttpClient got quite a lot of attention in this JDK release, certainly worth highlighting separately.

• JDK-8367112: HttpClient does not support Named Groups set on SSLParameters: during the setup of new connections, java.net.http.HttpClient now uses the signature schemes and named groups configured on java.net.ssl.SSLParameters when negotiating the TLS handshake. Previously these configured values were ignored.

• JDK-8358942: HttpClient adds Content-Length: 0 for a GET request with a BodyPublishers.noBody(): java.net.http.HttpClient has been updated to stop sending the Content-Length header on HTTP/1.1 requests using a HTTP methods other than POST or PUT when provided with a HttpRequest.BodyPublisher that reports a contentLength() of zero bytes.

• JDK-8351983: HttpCookie Parser Incorrectly Handles Cookies with Expires Attribute: the java.net.HttpCookie has been updated to correctly handle cookies with both Expires and Max-Age attributes.

• JDK-8208693: HttpClient: Extend the request timeout's scope to cover the response body: the java.net.http.HttpClient request timeout set via java.net.http.HttpRequest.Builder::timeout(...) previously applied only until the response headers were received. Its scope has now been extended to also cover the consumption of the response body, if present.

• JDK-8329829: HttpClient: Add a BodyPublishers.ofFileChannel method: add a new static ofFileChannel(FileChannel channel, long offset, long length) method to java.net.HttpRequest.BodyPublishers to allow an java.net.http.HttpClient request body publisher to upload a certain region of a file.

• Also, java.net.http.HttpRequest got a new method:

  • public <T> Optional<T> getOption(HttpOption<T> option)

Another notable changes in JDK include:

• JDK-8366575: Remove SDP support: InfiniBand SDP (Sockets Direct Protocol) has been obsolete for more than a decade and is no longer maintained on any major platform, and cannot be used on modern systems.

• JDK-8332623: Remove setTTL()/getTTL() methods from DatagramSocketImpl/MulticastSocket and MulticastSocket.send(DatagramPacket, byte): removes the following terminally deprecated methods from java.net.MulticastSocket:

  • public void setTTL(byte ttl) throws IOException
  • public byte getTTL() throws IOException
  • public void send(DatagramPacket p, byte ttl) throws IOException

  and the following terminally deprecated methods from java.net.DatagramSocketImpl

  • protected void setTTL(byte ttl) throws IOException
  • protected byte getTTL() throws IOException

• JDK-8356557: Update CodeSource::implies API documentation and deprecate java.net.SocketPermission class for removal: deprecates java.net.SocketPermission for removal and removes dependencies on java.net.SocketPermission from java.security.CodeSource#implies(...).

• JDK-8366577: Deprecate java.net.Socket::setPerformancePreferences: deprecates the method setPerformancePreferences in java.net.Socket, java.net.SocketImpl, and java.net.ServerSocket for removal without any replacement.

• JDK-8368226: Remove Thread.stop: removes java.lang.Thread#stop() method.

• JDK-8370387: Remove handling of InterruptedIOException from java.io classes: removes uses of java.io.InterruptedIOException from relevant classes in its package (the class java.io.InterruptedIOException is problematic and is targeted for deprecation and eventual removal).

• JDK-8364361: [process] java.lang.Process should implement Closeable: the addition of java.lang.Process#close() and the implementation of java.io.Closeable and java.lang.AutoCloseable interfaces to java.lang.Process allow for consistent and reliable cleanup.

• JDK-8362448: Make use of the Double.toString(double) algorithm in java.text.DecimalFormat: by using the same algorithm used by java.lang.Double#toString() and java.util.Formatter, the behavior of java.text.DecimalFormat becomes aligned with these and produce comparable outcomes.

• JDK-8362637: Convert java.nio.ByteOrder to an enum: converts java.nio.ByteOrder to an enum for use in switch expressions.

• JDK-8334015: Add Support for UUID Version 7 (UUIDv7) defined in RFC 9562: adds a static factory method java.util.UUID#ofEpochMillis(long) to create Version 7 UUIDs as defined in RFC 9562, embedding the supplied Unix time in milliseconds.

• JDK-8368527: JMX: Add an MXBeans method to query GC CPU time: adds a new method to java.lang.management.MemoryMXBean to return the accumulated CPU time in nanoseconds for GC related activity.

  • default long getTotalGcCpuTime()

• JDK-8365675: Add String Unicode Case-Folding Support: adds Unicode standard-compliant case-less comparison methods to the java.lang.String class, enabling and improving reliable and efficient Unicode-aware/compliant case-insensitive matching.

  • public int compareToFoldCase(String str)
  • public boolean equalsFoldCase(String anotherString)

• JDK-8368856: Add a method that performs saturating addition of a Duration to an Instant: adds new java.time.Instant#plusSaturating(Duration) method.

• JDK-8366829: Add java.time.Duration constants MIN and MAX: adds to java.time.Duration two new constants MIN and MAX.

• JDK-8356995: Provide default methods min(T, T) and max(T, T) in Comparator interface: new default methods java.util.Comparator#min(...) and java.util.Comparator#max(...) have been added to the java.util.Comparator interface, which allow finding greater or smaller of two objects (according to this comparator).

• In addition, java.math.BigInteger got two new methods:

  • public BigInteger[] rootnAndRemainder(int n)
  • public BigInteger rootn(int n)

This is pretty much it but we haven't talked about security related changes, it is just about time.

• JDK-8343232: PKCS#12 KeyStore support for RFC 9879: Use of Password-Based Message Authentication Code 1 (PBMAC1): the support of a new stronger MAC algorithm for PKCS#12 defined in RFC 9879 has been implemented.

• JDK-8349732: Add support for JARs signed with ML-DSA: adds support for JARs signed with ML-DSA, based on IETF RFC 9882.

• JDK-8325448: Hybrid Public Key Encryption: implement HPKE (Hybrid Public Key Encryption) as defined in RFC 9180 in the form of a JCE javax.crypto.Cipher.

• JDK-8244336: Restrict algorithms at JCE layer: creates a new security property jdk.crypto.disabledAlgorithms that restricts crypto algorithms at the JCE layer.

• JDK-8359956: Support algorithm constraints and certificate checks in SunX509 key manager: supports TLS algorithm constraints and certificate checks in SunX509 key manager which is currently the default key manager.

• JDK-8361964: Remove outdated algorithms from requirements and add PBES2 algorithms: removes the following algorithms from the list of required algorithms as they are no longer recommended, and should not be in wide usage anymore:

    AlgorithmParameters: DESede
      Cipher:
          DESede/CBC/NoPadding
          DESede/CBC/PKCS5Padding
          DESede/ECB/NoPadding
          DESede/ECB/PKCS5Padding
          RSA/ECB/PKCS1Padding
      KeyGenerator: DESede
      SecretKeyFactory: DESede
  

  Add the following PBES2 algorithms from PKCS#5 v2.1 as new requirements:

      AlgorithmParameters:
          PBEWithHmacSHA256AndAES_128
          PBEWithHmacSHA256AndAES_256
      Cipher:
          PBEWithHmacSHA256AndAES_128
          PBEWithHmacSHA256AndAES_256
      Mac:
          PBEWithHmacSHA256
      SecretKeyFactory:
          PBEWithHmacSHA256AndAES_128
          PBEWithHmacSHA256AndAES_256
          PBKDF2WithHmacSHA256 
    

• JDK-8359395: XML signature generation does not support user provided SecureRandom: adds a new javax.xml.crypto.dsig.XMLSignContext property named jdk.xmldsig.SecureRandom so that users can provide their own java.security.SecureRandom object when generating an XML signature.

• JDK-8353749: Improve security warning when using JKS or JCEKS keystores: the tools and java.security.KeyStore APIs have been updated to warn users when legacy JKS and JCEKS keystores are used, as they use outdated cryptographic algorithms and will be removed in a future release.

• JDK-8351354: Enhance java -XshowSettings:security:tls to show enabled TLS groups: the output of -XshowSettings:security:tls command line option has been updated to include the list of enabled named groups and the list of enabled signature schemes used for SSL/TLS/DTLS handshakes.

• JDK-8366364: Return enabled signature schemes with SSLConfiguration#getSSLParameters() call: also enhances -XshowSettings:security:tls command line option to show the enabled signature schemes.

• JDK-8371259: ML-DSA AVX2 and AVX512 intrinsics and improvements: delivers new intrinsics using AVX2 instructions on x86_64 platforms for the ML-DSA signature algorithm in the SUN security provider. This feature also improves the existing AVX512 intrinsics for the ML-DSA algorithm. This optimization is enabled by default on supporting x86_64 platforms and may be disabled by providing the -XX:+UnlockDiagnosticVMOptions -XX:-UseDilithiumIntrinsics command line options.

If you look for a bit more in-depth overview of the security related changes, please check out JDK 26 Security Enhancements blog post.

To summarize, the gems of JDK-26 release, in my opinion, are JEP 522: G1 GC: Improve Throughput by Reducing Synchronization, JEP 517: HTTP/3 for the HTTP Client API, and JDK-8369238: Allow virtual thread preemption on some common class initialization paths. Those are truly game changing enhancements for quite a wide audience of applications and services. Java continues to impress!

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

DuckDB: very useful were least expected

If you haven't heard about DuckDB yet, you definitely have to check it out. It is fascinating piece of technology for quick data exploration and analysis. But today we are going to talk about somewhat surprising but exceptionally useful area where DuckDB could be tremendously helpful - dealing with chatty HTTP/REST services.

One of the best things about DuckDB is that it is just a single binary (per OS/arch), with no additional dependencies, so the installation process is a breath.

Let me set the stage here. I have been working with OpenSearch (and Elasticsearch) for years, those are great search engines with very reach HTTP/REST APIs. The production grade clusters constitute hundreds of nodes, and at this scale, mostly every single cluster wide HTTP/REST endpoint invocation returns unmanageable JSON blobs. Wouldn't it be cool to somehow transform such JSON blobs into structured, queryable form somehow? Like relational table for example and run SQL queries over it, without writing a single line of code? It is absolutely doable with DuckDB and its JSON Processing Functions.

As an exercise, we are going to play with Nodes API which returns a detailed per node response, following deep nested JSON structure:

{
  "cluster_name" : "...",
  "_nodes" : {
     ...
  },
  "nodes" : {
    <node1> : {
        ...
    },
    <node2> : {
        ...
    },
    ...
    <nodeN> : {
        ...
    }
  }

Ideally, what we want is to flatten this structure into a table where each row represents individual node and each JSON key becomes an individual column by itself. To put things in the context, each node structure has nested arrays and objects, we will not recursively traverse them (although it is possible but needs more complex transformations). With that, let us start our exploration journey!

The first step is the simplest: extract nodes collection of objects from the Nodes API response and just feed it directly into DuckDB.

$ curl "https://localhost:9200/_nodes?pretty" -u admin:<password> -k --raw -s | duckdb -c "
  WITH nodes AS (
    SELECT key as id, value FROM  read_json_auto('/dev/stdin') AS r, json_each(r, '$.nodes')
  )
  SELECT * FROM nodes"

We would get back something like this (the OpenSearch cluster I use for tests has only two nodes, hence we see only two rows):

┌──────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│          id          │                                                                 value                                                                  │
│       varchar        │                                                                  json                                                                  │
├──────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ YQzVQ_kHT-WnYTReh0…  │ {"name":"opensearch-node2","transport_address":"10.89.0.3:9300","host":"10.89.0.3","ip":"10.89.0.3","version":"3.0.0","build_type":"…  │
│ J9a5OM8STainCdkaLm…  │ {"name":"opensearch-node1","transport_address":"10.89.0.2:9300","host":"10.89.0.2","ip":"10.89.0.2","version":"3.0.0","build_type":"…  │
└──────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Although we could stop just here (since DuckDB lets you query over JSON values easily), we would like to do something useful with value blob: we want it to become a table with real columns. There are many ways that could be accomplished in DuckDB, some do require precise JSON structure (schema) to be provided, some require predefined list of keys upfront. We would stick to dynamic exploration instead and extract all keys from the actual JSON data.

$ curl "https://localhost:9200/_nodes?pretty" -u admin:<password> | duckdb -c "
  WITH nodes AS (
    SELECT key as id, value FROM  read_json_auto('/dev/stdin') AS r, json_each(r, '$.nodes')
  ),
  all_keys AS (
    SELECT distinct(unnest(json_keys(value))) AS key FROM nodes
  )
  SELECT * FROM all_keys"

In the version of the OpenSearch I am running, there are 22 unique keys (JSON field names) returned, an example of the output is below:

┌────────────────────────────────┐
│              key               │
│            varchar             │
├────────────────────────────────┤
│ plugins                        │
│ jvm                            │
│ host                           │
│ version                        │
│ build_hash                     │
│ ...                            │
│ modules                        │
│ build_type                     │
│ os                             │
│ transport                      │
│ search_pipelines               │
│ attributes                     │
├────────────────────────────────┤
│            22 rows             │
└────────────────────────────────┘

Good progress so far, but we need to go over the last mile and build a relational table out of these pieces. This is where DuckDB's powerful PIVOT statement comes in very handy.

$ curl "https://localhost:9200/_nodes?pretty" -u admin:<password> | duckdb -c "
  WITH nodes AS (
    SELECT key as id, value FROM  read_json_auto('/dev/stdin') AS r, json_each(r, '$.nodes')
  ),
  all_keys AS (
    SELECT distinct(unnest(json_keys(value))) AS key FROM nodes
  ),
  keys AS (
    SELECT * FROM all_keys WHERE key not in ['plugins', 'modules']
  )
  SELECT id, node.* FROM nodes, (PIVOT keys ON(key) USING first(json_extract(value, '$.' || key))) as node"

And here we are:

┌──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬───┬──────────────────────┬──────────────────────┬──────────────────────┬───────────────────┬─────────┐
│          id          │     aggregations     │      attributes      │      build_hash      │ … │     thread_pool      │ total_indexing_buf…  │      transport       │ transport_address │ version │
│       varchar        │         json         │         json         │         json         │   │         json         │         json         │         json         │       json        │  json   │
├──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼───┼──────────────────────┼──────────────────────┼──────────────────────┼───────────────────┼─────────┤
│ YQzVQ_kHT-WnYTReh0…  │ {"adjacency_matrix…  │ {"shard_indexing_p…  │ "dc4efa821904cc2d7…  │ … │ {"remote_refresh_r…  │ 53687091             │ {"bound_address":[…  │ "10.89.0.3:9300"  │ "3.0.0" │
│ J9a5OM8STainCdkaLm…  │ {"adjacency_matrix…  │ {"shard_indexing_p…  │ "dc4efa821904cc2d7…  │ … │ {"remote_refresh_r…  │ 53687091             │ {"bound_address":[…  │ "10.89.0.2:9300"  │ "3.0.0" │
├──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴───┴──────────────────────┴──────────────────────┴──────────────────────┴───────────────────┴─────────┤
│ 2 rows                                                                                                                                                                      21 columns (9 shown) │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

As we set for the goal, we have transformed each node from JSON to structured table. There is one subtle quirk to mention, the presence of the additional step to filter out plugins and modules fields from the transformations, DuckDB seems to have difficulties pivoting those:

Binder Error:
PIVOT is not supported in correlated subqueries yet

I hope you find it useful, typical enterprise grade HTTP/REST services often throw a pile of JSON at you, try to make sense of it!

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

JDK-25: The Next Big Thing

Not exactly sure why but JDK-25 is a long awaited release. Probably because it is the next LTS (or whatever it means these days), or probably because it establishes a new baseline where there is no place for SecurityManager anymore. In any case, let us talk about everything that JDK-25 bundles in, starting with the stable features first.

• JEP-506: Scoped Values: introduces scoped values, which enable a method to share immutable data both with its callees within a thread, and with child threads. Scoped values are easier to reason about than thread-local variables. They also have lower space and time costs, especially when used together with virtual threads and structured concurrency.

  Since the API is final now, let us take a look at it closely.

     private static final ScopedValue<Object> CONTEXT = ScopedValue.newInstance();
  
     executor.submit(() -> ScopedValue.where(CONTEXT, new Object()).run(() -> {
         final Object context = CONTEXT.get();
         // Use 'context'
      }));
    

  In simple terms, you can think of scoped values as an immutable ThreadLocals, however their true power kicks in with structured concurrency, which sadly is still in preview in JDK-25.

• JEP-511: Module Import Declarations: enhances the Java programming language with the ability to succinctly import all of the packages exported by a module. This simplifies the reuse of modular libraries, but does not require the importing code to be in a module itself.

  This is pretty useful and simple enhancement that helps with imports explosion, for example:

    import module jdk.jfr;
   

• JEP-512: Compact Source Files and Instance Main Methods: evolves the Java programming language so that beginners can write their first programs without needing to understand language features designed for large programs. Far from using a separate dialect of the language, beginners can write streamlined declarations for single-class programs and then seamlessly expand their programs to use more advanced features as their skills grow. Experienced developers can likewise enjoy writing small programs succinctly, without the need for constructs intended for programming in the large.

  It is now possible to omit some boilerplate when using the language:

    void main() {
        IO.println("Hello, World!");
    }
    

• JEP-510: Key Derivation Function API: introduces an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data.

• JEP-503: Remove the 32-bit x86 Port: removes the source code and build support for the 32-bit x86 port. This port was deprecated for removal in JDK 24.

• JEP-514: Ahead-of-Time Command-Line Ergonomics: makes it easier to create ahead-of-time caches, which accelerate the startup of Java applications, by simplifying the commands required for common use cases.

  This is really nice improvement over two-step workflow in JDK 24 (please notice a new -XX:AOTCacheOutput command line flag), only one step is now required:

  $ java -XX:AOTCacheOutput=app.aot -cp app.jar com.example.App ...

  As a convenience, when operating in this way the JVM creates a temporary file for the AOT configuration and deletes the file when finished. The command line to run the application stays the same:

  $ java -XX:AOTCache=app.aot -cp app.jar com.example.App ...

  A new environment variable, JDK_AOT_VM_OPTIONS, can be used to pass command-line options that apply specifically to cache creation (AOTMode=create), without affecting the training run (AOTMode=record). The syntax is the same as for the existing JAVA_TOOL_OPTIONS environment variable. This enables the one-step workflow to apply even in use cases where it might seem that two steps are necessary due to differences in the command-line options.

• JEP-513: Flexible Constructor Bodies: in the body of a constructor, allows statements to appear before an explicit constructor invocation, i.e., super(...) or this(...). Such statements cannot reference the object under construction, but they can initialize its fields and perform other safe computations. This change allows many constructors to be expressed more naturally. It also allows fields to be initialized before they become visible to other code in the class, such as methods called from a superclass constructor, thereby improving safety.

  In my opinion, this feature would greatly improve the readability of the class initialization, let us take a look at the example:

       class ByteArrayInputStreamInputStream extends ByteArrayInputStream {
          public ByteArrayInputStreamInputStream(int size) {
              if (size <= 0) {
                  throw new IllegalArgumentException("The size has to be greater than 0");
              }
              super(new byte[size]);
          }
      }
      

  In pre-JDK-25, super(...) had to be the first statement in the constructor body and we would have no choice but to implement a function to validate the size and return new byte array (or throw an IllegalArgumentException exception).

• JEP-519: Compact Object Headers: changes compact object headers from an experimental feature (introduced in JDK 24) to a product feature. To enable this feature pass command line option:

  $ java -XX:+UseCompactObjectHeaders

• JEP-521: Generational Shenandoah: changes the generational mode of the Shenandoah garbage collector from an experimental feature (introduced in JDK 24) to a product feature. The generational mode could be enabled through command line flags:

  $ java -XX:+UseShenandoahGC -XX:ShenandoahGCMode=generational

• JEP-515: Ahead-of-Time Method Profiling: improves warmup time by making method-execution profiles from a previous run of an application instantly available, when the HotSpot Java Virtual Machine starts. This will enable the JIT compiler to generate native code immediately upon application startup, rather than having to wait for profiles to be collected.

• JEP-518: JFR Cooperative Sampling: improves the stability of the JDK Flight Recorder (JFR) when it asynchronously samples Java thread stacks. Achieves this by walking call stacks only at safepoints, while minimizing safepoint bias.

  There is a new event introduced, jdk.SafepointLatency, which records the time it takes for a thread to reach a safepoint, for example:

      $ java -XX:StartFlightRecording:jdk.SafepointLatency#enabled=true,filename=recording.jfr
      $ jfr print --events jdk.SafepointLatency recording.jfr
      

• JEP-520: JFR Method Timing & Tracing: extends the JDK Flight Recorder (JFR) with facilities for method timing and tracing via bytecode instrumentation.

  There are two new JFR events introduced, jdk.MethodTiming and jdk.MethodTrace, they both accept a filter to select the methods to time and trace, couple of the examples below:

      $ java '-XX:StartFlightRecording:jdk.MethodTrace#filter=java.util.HashMap::resize,filename=recording.jfr' ...
      $ jfr print --events jdk.MethodTrace --stack-depth 20 recording.jfr
      

      $ java '-XX:StartFlightRecording:filename=fd.jfr,method-trace=java.io.FileDescriptor::<init>java.io.FileDescriptor::close' ..
      $ jfr view --cell-height 5 MethodTrace fd.jfr
      

      $ java '-XX:StartFlightRecording:method-timing=::<clinit>,filename=clinit.jfr' ...
      $ jfr view method-timing clinit.jfr
     

  A filter can also name an annotation. This causes all methods bearing the annotation, and all methods in all classes bearing the annotation, to be timed or traced.

      $ jcmd <pid> JFR.start method-timing=@jakarta.ws.rs.GET
      

  It is also possible to use JMX and the JFRs RemoteRecordingStream class to configure timing and tracing over the network.

From all perspectives, the list of the finalized features that made it into JDK-25 is rock solid. But the release also bundles a number of a new experimental and preview APIs, in addition to carried over ones.

• JEP 507: Primitive Types in Patterns, instanceof, and switch (Third Preview): enhances pattern matching by allowing primitive types in all pattern contexts, and extend instanceof and switch to work with all primitive types. This is a preview language feature.

• JEP-505: Structured Concurrency (Fifth Preview): simplifies concurrent programming by introducing an API for structured concurrency. Structured concurrency treats groups of related tasks running in different threads as single units of work, thereby streamlining error handling and cancellation, improving reliability, and enhancing observability. This is a preview API feature.

• JEP-502: Stable Values (Preview): introduces an API for stable values, which are objects that hold immutable data. Stable values are treated as constants by the JVM, enabling the same performance optimizations that are enabled by declaring a field final. Compared to final fields, however, stable values offer greater flexibility as to the timing of their initialization. This is a preview API feature.

• JEP-470: PEM Encodings of Cryptographic Objects (Preview): introduces an API for encoding objects that represent cryptographic keys, certificates, and certificate revocation lists into the widely-used Privacy-Enhanced Mail (PEM) transport format, and for decoding from that format back into objects. This is a preview API feature.

• JEP-508: Vector API (Tenth Incubator): introduces an API to express vector computations that reliably compile at runtime to optimal vector instructions on supported CPUs, thus achieving performance superior to equivalent scalar computations.

• JEP-509: JFR CPU-Time Profiling (Experimental): enhances the JDK Flight Recorder (JFR) to capture more accurate CPU-time profiling information on Linux. This is an experimental feature.

      $ java -XX:StartFlightRecording:jdk.CPUTimeSample#enabled=true,filename=recording.jfr
      $ jfr view cpu-time-hot-methods recording.jfr
      

  If you are interested in the subject, I would highly recommend this in-depth series of posts from Johannes Bechberger, covering every single detail of the implementation:

  • Java 25’s new CPU-Time Profiler (1)
  • Java 25’s new CPU-Time Profiler: The Implementation (2)
  • Java 25’s new CPU-Time Profiler: Queue Sizing (3)
  • Java 25’s new CPU-Time Profiler: Removing Redundant Synchronization (4)

Besides JEPs, JDK-25 has plenty of enhancements across the board, including bugfixes and changes in the behavior that may affect the existing applications.

• JDK-8350441: ZGC: Overhaul Page Allocation: ZGC had been improved to better deal with virtual address space fragmentation. This is especially impactful for programs with a large heap, where virtual address space fragmentation could be a noticeable issue.

• JDK-8192647: GClocker induced GCs can starve threads requiring memory leading to OOME: Serial and Parallel garbage collectors now ensure that no Java threads are in a JNI critical region before initiating a garbage collection eliminating unnecessary OutOfMemoryErrors.

• JDK-8346920: Serial: Support allocation in old generation when heap is almost full: restores the support for allocation in old-gen when heap is almost full, detected as non-empty young-gen after full gc, which was removed by mistake in JDK-8333786.

• JDK-8343782 - G1: Use one G1CardSet instance for multiple old gen regions: the G1 garbage collector further reduces remembered set memory overhead and pause-time by allowing multiple regions to share a single internal structure (G1CardSet) when they are likely to be collected together during a Mixed GC.

• JDK-8351405 - G1: Collection set early pruning causes suboptimal region selection: the G1 garbage collector now addresses pause time spikes during Mixed GCs by improving the selection of memory regions to reclaim during those. Regions that are expected to be costly to collect due to high inter-region references may be excluded during this region selection.

• JDK-8356848: Separate Metaspace and GC printing: information about Metaspace had been moved away from heap logging.

• JDK-8164714: Constructor.newInstance creates instance of inner class with null outer class: inner classes must not have null as their immediately enclosing instance.

• JDK-8350753: Deprecate UseCompressedClassPointers: the UseCompressedClassPointers option had deprecated and will be removed in a future Java version.

• JDK-8338675: javac shouldn't silently change .jar files on the classpath: under some conditions, javac could have modified JAR or ZIP files places on the classpath, by writing classfile(s) to them.

• JDK-8345432: (ch, fs) Replace anonymous Thread with InnocuousThread: the default thread pool for the system-wide default AsynchronousChannelGroup had been changed to create threads that do not inherit anything from threads that initiate asynchronous I/O operations.

• JDK-8354276: Strict HTTP header validation: the java.net.http.HttpClient now rejects HTTP/2 responses that contain header fields prohibited by the HTTP/2 specification (RFC-9113).

• JDK-8341402: BigDecimal's square root optimization: the method java.math.BigDecimal::sqrt had been reimplemented to perform much better. However, in some very rare and quite artificial cases involving powers of 100 and huge precisions, the new implementation throws whereas the old one returns a result.

• JDK-8138614: StringBuffer and StringBuilder methods improperly require "new" String to be returned: the specifications of the substring, subSequence, and toString methods of the java.lang.StringBuilder and java.lang.StringBuffer classes had been changed not to require a new java.lang.String instance to be returned every time.

• JDK-8024695: new File("").exists() returns false whereas it is the current working directory: the java.io.File class had been changed so that an instance of File created from the empty abstract pathname ("") now behaves consistently like a File created from the current user directory.

• JDK-8355954: File.delete removes read-only files (win): java.io.File::delete had been changed on Windows so that it now fails and returns false for regular files when the DOS read-only attribute is set.

• JDK-8350880: (zipfs) Add support for read-only zip file systems: the ZIP file system provider had been updated to allow a ZIP file system be created as a read-only or read-write file system.

• JDK-8350703: Add standard system property stdin.encoding: a new system property, stdin.encoding, had been added. This property contains the name of the recommended Charset for reading character data from System.in.

• JDK-8322810: Lambda expression types can't be classes: prior to JDK-25, the javac could have compiled lambda expressions assigned to intersection types, even if one of the types is a class, not an interface. This frequently led to bytecode being generated that raises a LambdaConversionException when executed. In JDK-25, the code like in the snippet below is not accepted by the compiler anymore:

      class Test {
          void m() {
              Test r = (Test & Runnable) () -> System.out.println("Hello, World!");
          }
      } 
      

• JDK-8346948: Update CLDR to Version 47.0: upgrades the CLDR data in the JDK to version 47.0.

Moving on to the standard library, JDK-25 delivers rather moderate changes, but quite handy nonetheless. Let us take a look at those.

• The addition of a new javax.sound.SoundClip class comes as a surprise.

• A new class java.lang.IO was added to the standard library that provides convenient access to System.in and System.out for line-oriented input and output.

• In scope of JDK-8225763: Inflater and Deflater should implement AutoCloseable, both java.util.zip.Deflater and java.util.zip.Inflater implement java.lang.AutoCloseable.

• The java.io.Reader class has two new very convenient methods:

  • String readAllAsString()
  • List<String> readAllLines() throws IOException

• In scope of JDK-8343110, a new default method was added to java.lang.CharSequence interface:

  • default void getChars(int srcBegin, int srcEnd, char[] dst, int dstBegin)

• In scope of JDK-8343110, a new default method was added to java.nio.CharBuffer class:

  • void getChars(int srcBegin, int srcEnd, char[] dst, int dstBegin)

• A java.lang.Math class was enhanced with a number of methods:

  • static int powExact(int x, int n)
  • static long powExact(long x, int n)
  • static int unsignedMultiplyExact(int x, int y)
  • static long unsignedMultiplyExact(long x, int y)
  • static long unsignedMultiplyExact(long x, long y)
  • static int unsignedPowExact(int x, int n)
  • static long unsignedPowExact(long x, int n)

• Similarly, mirrored changes went into java.lang.StrictMath class:

  • static int powExact(int x, int n)
  • static long powExact(long x, int n)
  • static int unsignedMultiplyExact(int x, int y)
  • static long unsignedMultiplyExact(long x, int y)
  • static long unsignedMultiplyExact(long x, long y)
  • static int unsignedPowExact(int x, int n)
  • static long unsignedPowExact(long x, int n)

• The java.lang.reflect.AccessFlag enum got a new method:

  • static Set<AccessFlag> maskToAccessFlags(int mask, AccessFlag.Location location, ClassFileFormatVersion cffv)

• In scope of JDK-8350279: HttpClient: Add a new HttpResponse method to identify connections, the java.net.http.HttpResponse interface was enriched with one new default method:

  • default Optional<String> connectionLabel()

• As part of JDK-8328919: Add BodyHandlers / BodySubscribers methods to handle excessive server input, the following new APIs have been added:

  • To java.net.http.HttpResponse$BodyHandlers class:

    • static <T> HttpResponse.BodyHandler<T> limiting(HttpResponse.BodyHandler<T> downstreamHandler, long capacity)

  • To java.net.http.HttpResponse$BodySubscribers class:

    • static <T> HttpResponse.BodySubscriber<T> limiting(HttpResponse.BodySubscriber<T> downstreamSubscriber, long capacity)

• A new method was added to java.util.Currency class:

  • static Stream<Currency> availableCurrencies()

• A couple of new methods were added to java.util.TimeZone class:

  • static Stream<String> availableIDs()
  • static Stream<String> availableIDs(int rawOffset)

• The class javax.net.ssl.ExtendedSSLSession got some attention as well:

  • byte[] exportKeyingMaterialData(String label, byte[] context, int length)
  • SecretKey exportKeyingMaterialKey(String keyAlg, String label, byte[] context, int length)

• Probably, the largest change in years comes to java.util.concurrent.ForkJoinPool, which now implements java.util.concurrent.ScheduledExecutorService as part of JDK-8319447: Improve performance of delayed task handling:

  • ScheduledFuture<?> schedule(Runnable command, long delay, TimeUnit unit)
  • <V> ScheduledFuture<V> schedule(Callable<V> callable, long delay, TimeUnit unit)
  • ScheduledFuture<?> scheduleAtFixedRate(Runnable command, long initialDelay, long period, TimeUnit unit)
  • ScheduledFuture<?> scheduleWithFixedDelay(Runnable command, long initialDelay, long delay, TimeUnit unit)
  • <V>ForkJoinTask<V> submitWithTimeout(Callable<V> callable, long timeout, TimeUnit unit, Consumer<? super ForkJoinTask<V>> timeoutAction)
  • long getDelayedTaskCount()
  • void cancelDelayedTasksOnShutdown()

• In scope of JDK-8351594: JFR: Rate-limited sampling of Java events, a new annotation @jdk.jfr.Throttle was introduced.

  Please note that in JDK-25, the JFR events jdk.SocketRead, jdk.SocketWrite, jdk.FileRead, and jdk.FileWrite are throttled by default. To restore previous behavior, please use -XX:StartFlightRecording:jdk.SocketRead#threshold=20ms,jdk.SocketRead#throttle=off.

  Also, the jdk.JavaExceptionThrow event was previously disabled by default, but is now enabled by default with a rate limit of 100 events per second. To disable this event, please use -XX:StartFlightRecording:jdk.JavaExceptionThrow#enabled=false.

• One more for JFR, as part of JDK-8356698: JFR: @Contextual, a new annotation @jdk.jfr.Contextual was introduced.

With respect to security, there are a few changes worth mentioning:

• JDK-8354305: SHAKE128-256 and SHAKE256-512 as MessageDigest Algorithms: adds SHAKE128 and SHAKE256 as MessageDigest algorithms.

• JDK-8350689: Turn on timestamp and thread metadata by default for java.security.debug: enhances the security debug logs by making sure that the thread and timestamp data is always present.

• JDK-8345431: Improve jar --validate to detect duplicate or invalid entries: the command now also checks if there are duplicate entries or inconsistent headers.

• JDK-8348986: Improve coverage of enhanced exception messages: networking exception messages can be filtered to remove sensitive information.

• JDK-8340321: Disable SHA-1 in TLS/DTLS 1.2 handshake signatures: the use of SHA-1 in TLS & DTLS 1.2 digital signatures is disabled, following the RFC-9155 deprecations.

• The work on phasing out the SecurityManager related functionality is underway with terminal deprecations:

  • JDK-8348967: Deprecate security permission classes for removal
  • JDK-8353641: Deprecate core library permission classes for removal
  • JDK-8353642: Deprecate URL::getPermission method and networking permission classes for removal
  • JDK-8353856: Deprecate FlighRecorderPermission class for removal
  • JDK-8347985: Deprecate java.management Permission classes for removal
  • JDK-8351224: Deprecate com.sun.tools.attach.AttachPermission for removal
  • JDK-8351310: Deprecate com.sun.jdi.JDIPermission for removal

Last but not least, few regressions slipped into JDK-25 at the last moment, please be aware of those:

• JDK-8367031: [backout] Change java.time month/day field types to 'byte': regression in serialization of LocalDate class objects.

• JDK-8366434: THP not working properly with G1 after JDK-8345655: -XX:+UseTransparentHugePages Fails to Enable Huge Pages for G1.

• JDK-8358535: Changes in ClassValue (JDK-8351996) caused a 1-9% regression in Renaissance-PageRank: performance regression in java.lang.ClassValue::get.

My personal retrospective on the JDK-25 release, among many other things, highlights a significant progress of the Project Leyden and substantial investments into JDK Flight Recorder (JFR) tooling and instrumentation. Let us see what comes next, the lineup for JDK-26 already looks exciting.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.

(Mostly) Zero Trust: Sandboxing Java applications with GraalVM and Espresso

With the death of SecurityManager, isolating untrusted Java code execution (for example, in case of plugins or scripting) becomes even more difficult. But, luckily, the maturity of GraalVM, both from features and stability perspectives, offers a compelling solution to sandboxing Java code.

In today's post, we are going to explore GraalVM polyglot capabilities, more specifically GraalVM Espresso - an implementation of the Java Virtual Machine Specification built upon GraalVM as a Truffle interpreter. To make things more interesting, there are two runtime models that we are going to talk about:

• out of process: isolated host/guest JVM with prebuilt Espresso runtime
• out of process: isolated, potentially even different, host/guest JVM runtimes

At first, the amount of the details that GraalVM polyglot programming throws at you feels overwhelming, but the documentation really helps to navigate over them. The latest version of the GraalVM available as of this writing is 24.2.1 and this is what we are going to use. To keep things simple but meaningful, we are going to sandbox an application that:

• exposes one interface ApplicationService

        public interface ApplicationService {
            ApplicationInfo getApplicationInfo();
            ApplicationInfo setApplicationInfo(ApplicationInfo info);
        }
        

• exposes one custom data type (Java record)

        public record ApplicationInfo(String env, String version) {
        }
        

• provides the default ApplicationService implementation

      public class AppRunner {
          public static void main(String[] args) {
              System.out.println(getApplication().getApplicationInfo());
          }
  
          public static ApplicationService getApplication() {
              return new ApplicationService() {
                  private ApplicationInfo info = new ApplicationInfo("unconstrained", "1.0.0");
  
                  @Override
                  public ApplicationInfo getApplicationInfo() {
                      return info;
                  }
  
                  @Override
                  public ApplicationInfo setApplicationInfo(ApplicationInfo info) {
                      this.info = info;
                      return info;
                  }
              };
          }
     }
        

What the host will be doing with this sandboxed application? Quite simple: it will get access to default ApplicationService implementation, query the ApplicationInfo and change it to its own provided value. Such an exercise would demonstrate the essential interoperability dance between host and guest in the GraalVM world. What is interesting, the guest (application we are going to sandbox) has no idea it is running inside the GraalVM Espresso managed runtime.

Let us start building with provided GraalVM Espresso runtime (which is based on JDK-21). Here are the dependencies that we need to get started.

        <dependency>
            <groupId>org.graalvm.polyglot</groupId>
            <artifactId>polyglot</artifactId> 
            <version>24.2.1</version>
        </dependency>
        <dependency>
            <groupId>org.graalvm.espresso</groupId>
            <artifactId>espresso-language</artifactId> 
            <version>24.2.1</version>
        </dependency>
        <dependency>
            <groupId>org.graalvm.espresso</groupId>
            <artifactId>polyglot</artifactId>
            <version>24.2.1</version>
        </dependency>
        <dependency>
            <groupId>org.graalvm.espresso</groupId>
            <artifactId>espresso-runtime-resources-jdk21</artifactId>
            <version>24.2.1</version>
        </dependency>
        <dependency>
            <groupId>org.graalvm.polyglot</groupId>
            <artifactId>java-community</artifactId> 
            <version>24.2.1</version>
            <type>pom</type>
        </dependency>

To have access to sandboxed application types, we would also need to include the dependency on its API (just for sake of simplicity, we include the application module itself):

        <dependency>
            <groupId>com.example.graalvmt</groupId>
            <artifactId>app</artifactId> 
            <version>0.0.1-SNAPSHOT</version>
        </dependency>

The bootstrapping is pretty straightforward. The first thing the host application has to do is to create a new polyglot engine:

        final Engine engine = Engine
            .newBuilder()
            .build();

The next step establishes the polyglot context and is a bit more engaging. Please don't panic if some things are not clear from the start, we are going to look at all of them shortly.

        final Context context = Context
            .newBuilder("java")
            .option("java.Properties.java.class.path", application)
            .option("java.Polyglot", "true")
            .option("java.EnableGenericTypeHints", "true")
            .allowExperimentalOptions(true)
            .allowNativeAccess(true)
            .allowCreateThread(false)
            .allowHostAccess(HostAccess
                .newBuilder(HostAccess.ALL)
                .targetTypeMapping(
                        Value.class,
                        ApplicationInfo.class,
                        v -> true,
                        v -> new ApplicationInfo(
                            v.invokeMember("env").asString(), 
                            v.invokeMember("version").asString())
                    )
                .build()
            )
            .allowIO(IOAccess.NONE)
            .allowPolyglotAccess(PolyglotAccess
                .newBuilder()
                .allowBindingsAccess("java")
                .build())
            .engine(engine)
            .build();

Let us go over this snippet line by line. Since this is a polyglot context, we limit its languages to java only. We also provide the classpath to our sandboxed application JAR file using java.Properties.java.class.path property. We explicitly prohibiting thread creation with allowCreateThread(false) and I/O access with allowIO(IOAccess.NONE) but have to allow native access (allowNativeAccess(true)), this is a limitation of the GraalVM Espresso engine at the moment (please check [Espresso] Support running without native access. for more details).

The host access configuration needs some wider explanation. We do allow access to host from guest (sandboxed application) with HostAccess.ALL policy and also provide the type mapping for ApplicationInfo record class so we could reconstruct it from generic polyglot Value class. Last but not least, we allow polyglot access java bindings with allowBindingsAccess("java"). And by and large, this is it!

With the context bootstrapped, we are ready to interact with the sandboxed application (or in terms of GraalVM, guest) through polyglot bindings. To illustrate the host/guest isolation, let us make an inquiry about their JVM runtime versions.

        final Value runtime = context.getBindings("java").getMember("java.lang.Runtime");
        System.out.println("Host JVM version: " + Runtime.version());
        System.out.println("Guest JVM version: " + runtime.invokeMember("version"));
  

Depending on your system and settings, you may see something along these lines:

Host JVM version: 24.0.1+9-30
Guest JVM version: 21.0.2+13-LTS-jvmci-23.1-b33

Clearly, the host and guest JVMs are far apart. According to our plan, let us retrieve the instance of the ApplicationService and ask for ApplicationInfo:

        final ApplicationService service = context.getBindings("java")
            .getMember("com.example.AppRunner")
            .invokeMember("getApplication")
            .as(ApplicationService.class);
        System.out.println("ApplicationInfo? " + service.getApplicationInfo());

We should see in the console:

ApplicationInfo? ApplicationInfo[env=unconstrained, version=1.0.0]

Now let us change the ApplicationInfo by construction a new instance on the host and sending it back to the guest, using ApplicationService instance at hand:

        final ApplicationInfo newInfo = context.getBindings("java")
            .getMember("com.example.ApplicationInfo")
            .newInstance("sandboxed", "1.0.0")
            .as(ApplicationInfo.class);

        final ApplicationInfo info = service.setApplicationInfo(newInfo);
        System.out.println("ApplicationInfo? " + info);

This time, we should see in the console a different picture:

ApplicationInfo? ApplicationInfo[env=sandboxed, version=1.0.0]

With all details (hopefully) explained, we could see how things work in action. The easiest way to run the host application is by using Apache Maven and its Exec Maven Plugin (please change JAVA_HOME accordingly):

$ export JAVA_HOME=/usr/lib/jvm/java-24-openjdk-amd64/
$ mvn package exec:java -Dexec.mainClass="com.example.graalvm.sandbox.SandboxRunner" -Dexec.args="app/target/app-0.0.1-SNAPSHOT.jar" -f sandbox-bundled-jvm/

Here is how the complete output in the console looks like:

Host JVM version: 24.0.1+9-30
Guest JVM version: 21.0.2+13-LTS-jvmci-23.1-b33
ApplicationInfo? ApplicationInfo[env=unconstrained, version=1.0.0]
ApplicationInfo? ApplicationInfo[env=sandboxed, version=1.0.0]

Let us recap what we have done: we basically isolated the application we wanted to sandbox into separate JVM instance but preserved full access to its API, limiting some very key JVM capabilities (no threads, no I/O). This is very powerful but has one limitation: we are bounded by the GraalVM Espresso runtime. What if we could have used any other JVM? Good news, it is totally an option and this is what we are going to do next.

As of this writing, GraalVM Espresso allows running either Java 8, Java 11, Java 17, or Java 21 guest JVMs. However, the host could be running any other JVM, and why not latest JDK-24? There aren't actually too many changes that we need to do to the Context:

    final Context context = Context
            .newBuilder("java")
            .option("java.JavaHome", jdkHome)
            .option("java.Classpath", application)
            .option("java.Properties.java.security.manager", "allow")
            .option("java.PolyglotInterfaceMappings", getInterfaceMappings())
            .option("java.Polyglot", "true")
            .option("java.EnableGenericTypeHints", "true")
            .allowExperimentalOptions(true)
            .allowNativeAccess(true)
            .allowCreateThread(false)
            .allowHostAccess(HostAccess
                .newBuilder(HostAccess.ALL)
                .targetTypeMapping(
                        Value.class,
                        ApplicationInfo.class,
                        v -> true,
                        v -> new ApplicationInfo(
                            v.invokeMember("env").asString(), 
                            v.invokeMember("version").asString())
                    )
                .build()
            )
            .allowIO(IOAccess.NONE)
            .allowPolyglotAccess(PolyglotAccess
                .newBuilder()
                .allowBindingsAccess("java")
                .build())
            .engine(engine)
            .build();

Notice that we do provide own JDK installation (using java.JavaHome) and classpath (using java.Classpath). More to that, we have an opportunity to pass any additional JVM properties (for example, "java.Properties.java.security.manager", "allow" is equivalent to passing -Djava.security.manager=allow, however we don't really use it). The new option here is java.PolyglotInterfaceMappings:

    private static String getInterfaceMappings(){
        return "com.example.ApplicationService;";
    }

It allows to automatically constructing guest proxies for host objects that implement declared interfaces in the list (essentially, we could provide our own ApplicationService and push it to the guest). And one important note, we don't need espresso-runtime-resources-jdk21 dependency anymore. Everything else stays unchanged.

If we run the host application this time:

$ export JAVA_HOME=/usr/lib/jvm/java-24-openjdk-amd64/
$ mvn package exec:java -Dexec.mainClass="com.example.graalvm.sandbox.SandboxRunner" -Dexec.args="/usr/lib/jvm/java-17-openjdk-amd64/ app/target/app-0.0.1-SNAPSHOT.jar" -f sandbox-custom-jvm/

The output will be slightly different:

Host JVM version: 24.0.1+9-30
Guest JVM version: 17.0.15+6-Ubuntu-0ubuntu124.04
ApplicationInfo? ApplicationInfo[env=unconstrained, version=1.0.0]
ApplicationInfo? ApplicationInfo[env=sandboxed, version=1.0.0]

Sky is the limit! GraalVM with its powerful polyglot features and GraalVM Espresso engine offers an unique capability to isolate (sandbox) untrusted Java code execution, using a JDK of your choice (you can even run JDK-21 with full-fledged SecurityManager activated if dimed necessary). We have just looked into some foundational concepts (there are still some limitations) however there are much more to uncover here (and please, note that GraalVM evolves very fast, the limitations of today become features of tomorrow). Hope you find it useful.

The complete source code of the project is available on Github.

I 🇺🇦 stand 🇺🇦 with 🇺🇦 Ukraine.