Java program launchers need to enable native code interfacing explicitly

CHANGE

Description

Java program launchers need to enable native code interfacing explicitly since Java platform is moving towards 'integrity by default'. The idea is that unrestricted and/or native code is perceived as something that can destabilize whole JVM and JVM authors decided that it will be easier to maintain Java platform if such code is blocked by default and only allowed when a restriction is explicitly lifted.

Proposal

Add '-enable-native-access=ALL-UNNAMED' when running programs under OpenJDK.

Add '-H:+UnlockExperimentalVMOptions', '-H:+ForeignAPISupport' and '-enable-native-access=ALL-UNNAMED' when running programs under GraalVM native-image.

This is akin to e.g. .NET programs having '<AllowUnsafeBlocks>true' in their configuration, i.e. Java has 'restricted' methods instead of 'unsafe' blocks, but they serve same thing - blocking code that could destabilize the managed runtime.

I'm not sure if I should try to find and list all the programs that suffer from missing command line switches or if it will be easier to just add the switches to all program launchers. The '<AllowUnsafeBlocks>true' seems to be present in all C# programs irrespective whether it's needed or not.

However, the examples of unlifted restrictions under Java are:

• https://benchmarksgame-team.pages.debian.net/benchmarksgame/program/regexredux-java-2.html - VM outputs unwanted warning
• https://benchmarksgame-team.pages.debian.net/benchmarksgame/program/regexredux-graalvmaot-2.html - VM blocks code from running at all
• code that runs under OpenJDK 23 without problems, but will fail in near future (due to JNI being blocked by default):
  • https://benchmarksgame-team.pages.debian.net/benchmarksgame/program/pidigits-java-3.html
  • https://benchmarksgame-team.pages.debian.net/benchmarksgame/program/pidigits-java-2.html

Additionally, there seems to be a missing command line switch like '-Djava.library.path=Include/java' in following programs:

• https://benchmarksgame-team.pages.debian.net/benchmarksgame/program/pidigits-graalvmaot-2.html
• https://benchmarksgame-team.pages.debian.net/benchmarksgame/program/pidigits-graalvmaot-3.html

Without '-Djava.library.path=actual_path_of_gmp_libraries' the programs can't run.

Another issue with command-line switches is in https://benchmarksgame-team.pages.debian.net/benchmarksgame/program/knucleotide-graalvmaot-1.html . The classpath value is missing when creating native image, i.e. the '-cp .:/opt/src/java-libs/fastutil-8.3.1.jar' switch needs to be added to native-image call too.

Benefits & Costs

Java programs that use FFM and JNI APIs will continue to work correctly. Otherwise both types won't work by default in current and/or upcoming Java versions.