openjdk · kimbarrett · Mar 20, 2025 · Mar 20, 2025 · Apr 16, 2025 · Apr 16, 2025
diff --git a/src/hotspot/os/aix/libodm_aix.cpp b/src/hotspot/os/aix/libodm_aix.cpp
@@ -30,6 +30,7 @@
 #include <string.h>
 #include "runtime/arguments.hpp"
 #include "runtime/os.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 
 
 dynamicOdm::dynamicOdm() {
@@ -59,7 +60,7 @@ dynamicOdm::~dynamicOdm() {
 }
 
 
-void odmWrapper::clean_data() { if (_data) { free(_data); _data = nullptr; } }
+void odmWrapper::clean_data() { if (_data) { permit_forbidden_function::free(_data); _data = nullptr; } }
 
 
 int odmWrapper::class_offset(const char *field, bool is_aix_5)

diff --git a/src/hotspot/os/aix/loadlib_aix.cpp b/src/hotspot/os/aix/loadlib_aix.cpp
@@ -38,6 +38,7 @@
 #include "logging/log.hpp"
 #include "utilities/debug.hpp"
 #include "utilities/ostream.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 
 // For loadquery()
 #include <sys/ldr.h>
@@ -58,7 +59,7 @@ class StringList {
   // Enlarge list. If oom, leave old list intact and return false.
   bool enlarge() {
     int cap2 = _cap + 64;
-    char** l2 = (char**) ::realloc(_list, sizeof(char*) * cap2);
+    char** l2 = (char**) permit_forbidden_function::realloc(_list, sizeof(char*) * cap2);
     if (!l2) {
       return false;
     }
@@ -76,7 +77,7 @@ class StringList {
       }
     }
     assert0(_cap > _num);
-    char* s2 = ::strdup(s);
+    char* s2 = permit_forbidden_function::strdup(s);
     if (!s2) {
       return nullptr;
     }
@@ -170,7 +171,7 @@ static void free_entry_list(loaded_module_t** start) {
   loaded_module_t* lm = *start;
   while (lm) {
     loaded_module_t* const lm2 = lm->next;
-    ::free(lm);
+    permit_forbidden_function::free(lm);
     lm = lm2;
   }
   *start = nullptr;
@@ -193,7 +194,7 @@ static bool reload_table() {
   uint8_t* buffer = nullptr;
   size_t buflen = 1024;
   for (;;) {
-    buffer = (uint8_t*) ::realloc(buffer, buflen);
+    buffer = (uint8_t*) permit_forbidden_function::realloc(buffer, buflen);
     if (loadquery(L_GETINFO, buffer, buflen) == -1) {
       if (errno == ENOMEM) {
         buflen *= 2;
@@ -229,7 +230,7 @@ static bool reload_table() {
 
   for (;;) {
 
-    loaded_module_t* lm = (loaded_module_t*) ::malloc(sizeof(loaded_module_t));
+    loaded_module_t* lm = (loaded_module_t*) permit_forbidden_function::malloc(sizeof(loaded_module_t));
     if (!lm) {
       log_warning(os)("OOM.");
       goto cleanup;
@@ -250,7 +251,7 @@ static bool reload_table() {
 
     if (!lm->path) {
       log_warning(os)("OOM.");
-      free(lm);
+      permit_forbidden_function::free(lm);
       goto cleanup;
     }
 
@@ -272,7 +273,7 @@ static bool reload_table() {
       lm->member = g_stringlist.add(p_mbr_name);
       if (!lm->member) {
         log_warning(os)("OOM.");
-        free(lm);
+        permit_forbidden_function::free(lm);
         goto cleanup;
       }
     } else {
@@ -320,7 +321,7 @@ static bool reload_table() {
     free_entry_list(&new_list);
   }
 
-  ::free(buffer);
+  permit_forbidden_function::free(buffer);
 
   return rc;
 

diff --git a/src/hotspot/os/aix/os_aix.cpp b/src/hotspot/os/aix/os_aix.cpp
@@ -73,6 +73,7 @@
 #include "utilities/defaultStream.hpp"
 #include "utilities/events.hpp"
 #include "utilities/growableArray.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 #include "utilities/vmError.hpp"
 #if INCLUDE_JFR
 #include "jfr/support/jfrNativeLibraryLoadEvent.hpp"
@@ -369,9 +370,9 @@ static void query_multipage_support() {
   // or by environment variable LDR_CNTRL (suboption DATAPSIZE). If none is given,
   // default should be 4K.
   {
-    void* p = ::malloc(16*M);
+    void* p = permit_forbidden_function::malloc(16*M);
     g_multipage_support.datapsize = os::Aix::query_pagesize(p);
-    ::free(p);
+    permit_forbidden_function::free(p);
   }
 
   // Query default shm page size (LDR_CNTRL SHMPSIZE).
@@ -1398,7 +1399,7 @@ static struct {
 } vmem;
 
 static void vmembk_add(char* addr, size_t size, size_t pagesize, int type) {
-  vmembk_t* p = (vmembk_t*) ::malloc(sizeof(vmembk_t));
+  vmembk_t* p = (vmembk_t*) permit_forbidden_function::malloc(sizeof(vmembk_t));
   assert0(p);
   if (p) {
     MiscUtils::AutoCritSect lck(&vmem.cs);
@@ -1427,7 +1428,7 @@ static void vmembk_remove(vmembk_t* p0) {
   for (vmembk_t** pp = &(vmem.first); *pp; pp = &((*pp)->next)) {
     if (*pp == p0) {
       *pp = p0->next;
-      ::free(p0);
+      permit_forbidden_function::free(p0);
       return;
     }
   }

diff --git a/src/hotspot/os/aix/porting_aix.cpp b/src/hotspot/os/aix/porting_aix.cpp
@@ -39,6 +39,7 @@
 #include "runtime/os.hpp"
 #include "utilities/align.hpp"
 #include "utilities/debug.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 #include <cxxabi.h>
 #include <sys/debug.h>
 #include <pthread.h>
@@ -250,7 +251,7 @@ bool AixSymbols::get_function_name (
           p_name[namelen-1] = '\0';
         }
         if (demangled_name != nullptr) {
-          ALLOW_C_FUNCTION(::free, ::free(demangled_name));
+          permit_forbidden_function::free(demangled_name);
         }
       }
     } else {
@@ -1081,7 +1082,7 @@ void* Aix_dlopen(const char* filename, int Flags, int *eno, const char** error_r
       if (g_handletable_used == max_handletable) {
         // No place in array anymore; increase array.
         unsigned new_max = MAX2(max_handletable * 2, init_num_handles);
-        struct handletableentry* new_tab = (struct handletableentry*)::realloc(p_handletable, new_max * sizeof(struct handletableentry));
+        struct handletableentry* new_tab = (struct handletableentry*) permit_forbidden_function::realloc(p_handletable, new_max * sizeof(struct handletableentry));
         assert(new_tab != nullptr, "no more memory for handletable");
         if (new_tab == nullptr) {
           *error_report = "dlopen: no more memory for handletable";

diff --git a/src/hotspot/os/bsd/decoder_machO.cpp b/src/hotspot/os/bsd/decoder_machO.cpp
@@ -27,6 +27,8 @@
 #include "decoder_machO.hpp"
 #include "jvm.h"
 #include "memory/allocation.inline.hpp"
+#include "utilities/globalDefinitions.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 
 #include <cxxabi.h>
 #include <mach-o/loader.h>
@@ -42,9 +44,9 @@ bool MachODecoder::demangle(const char* symbol, char *buf, int buflen) {
   // may use different malloc/realloc mechanism that allocates 'buf'.
   if ((result = abi::__cxa_demangle(symbol, nullptr, nullptr, &status)) != nullptr) {
     jio_snprintf(buf, buflen, "%s", result);
-      // call c library's free
-      ::free(result);
-      return true;
+    // call c library's free
+    permit_forbidden_function::free(result);
+    return true;
   }
   return false;
 }

diff --git a/src/hotspot/os/linux/decoder_linux.cpp b/src/hotspot/os/linux/decoder_linux.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
 #include "utilities/decoder_elf.hpp"
 #include "utilities/elfFile.hpp"
 #include "utilities/globalDefinitions.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 
 #include <cxxabi.h>
 
@@ -46,9 +47,9 @@ bool ElfDecoder::demangle(const char* symbol, char *buf, int buflen) {
   // may use different malloc/realloc mechanism that allocates 'buf'.
   if ((result = abi::__cxa_demangle(symbol, nullptr, nullptr, &status)) != nullptr) {
     jio_snprintf(buf, buflen, "%s", result);
-      // call c library's free
-      ALLOW_C_FUNCTION(::free, ::free(result);)
-      return true;
+    // call c library's free
+    permit_forbidden_function::free(result);
+    return true;
   }
   return false;
 }

diff --git a/src/hotspot/os/linux/gc/z/zMountPoint_linux.cpp b/src/hotspot/os/linux/gc/z/zMountPoint_linux.cpp
@@ -28,6 +28,7 @@
 #include "runtime/globals.hpp"
 #include "runtime/os.hpp"
 #include "utilities/globalDefinitions.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 
 #include <stdio.h>
 #include <unistd.h>
@@ -62,11 +63,11 @@ char* ZMountPoint::get_mountpoint(const char* line, const char* filesystem) cons
       strcmp(line_filesystem, filesystem) != 0 ||
       access(line_mountpoint, R_OK|W_OK|X_OK) != 0) {
     // Not a matching or accessible filesystem
-    ALLOW_C_FUNCTION(::free, ::free(line_mountpoint);)
+    permit_forbidden_function::free(line_mountpoint);
     line_mountpoint = nullptr;
   }
 
-  ALLOW_C_FUNCTION(::free, ::free(line_filesystem);)
+  permit_forbidden_function::free(line_filesystem);
 
   return line_mountpoint;
 }
@@ -90,14 +91,14 @@ void ZMountPoint::get_mountpoints(const char* filesystem, ZArray<char*>* mountpo
   }
 
   // readline will return malloced memory. Need raw ::free, not os::free.
-  ALLOW_C_FUNCTION(::free, ::free(line);)
+  permit_forbidden_function::free(line);
   fclose(fd);
 }
 
 void ZMountPoint::free_mountpoints(ZArray<char*>* mountpoints) const {
   ZArrayIterator<char*> iter(mountpoints);
   for (char* mountpoint; iter.next(&mountpoint);) {
-    ALLOW_C_FUNCTION(::free, ::free(mountpoint);) // *not* os::free
+    permit_forbidden_function::free(mountpoint); // *not* os::free
   }
   mountpoints->clear();
 }

diff --git a/src/hotspot/os/linux/mallocInfoDcmd.cpp b/src/hotspot/os/linux/mallocInfoDcmd.cpp
@@ -26,6 +26,7 @@
 #include "os_linux.hpp"
 #include "utilities/globalDefinitions.hpp"
 #include "utilities/ostream.hpp"
+#include "utilities/permitForbiddenFunctions.hpp"
 
 #include <malloc.h>
 
@@ -35,15 +36,15 @@ void MallocInfoDcmd::execute(DCmdSource source, TRAPS) {
 #ifdef __GLIBC__
   char* buf;
   size_t size;
-  ALLOW_C_FUNCTION(::open_memstream, FILE* stream = ::open_memstream(&buf, &size);)
+  FILE* stream = ::open_memstream(&buf, &size);
   if (stream == nullptr) {
     _output->print_cr("Error: Could not call malloc_info(3)");
     return;
   }
 
   int err = os::Linux::malloc_info(stream);
   if (err == 0) {
-    ALLOW_C_FUNCTION(::fflush, fflush(stream);)
+    fflush(stream);
     _output->print_raw(buf);
     _output->cr();
   } else if (err == -1) {
@@ -53,8 +54,8 @@ void MallocInfoDcmd::execute(DCmdSource source, TRAPS) {
   } else {
     ShouldNotReachHere();
   }
-  ALLOW_C_FUNCTION(::fclose, ::fclose(stream);)
-  ALLOW_C_FUNCTION(::free, ::free(buf);)
+  ::fclose(stream);
+  permit_forbidden_function::free(buf);
 #else
   _output->print_cr(malloc_info_unavailable);
 #endif // __GLIBC__

diff --git a/src/hotspot/os/posix/forbiddenFunctions_posix.hpp b/src/hotspot/os/posix/forbiddenFunctions_posix.hpp
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+#ifndef OS_POSIX_FORBIDDENFUNCTIONS_POSIX_HPP
+#define OS_POSIX_FORBIDDENFUNCTIONS_POSIX_HPP
+
+#include "utilities/compilerWarnings.hpp"
+
+// For types used in the signatures.
+#include <stddef.h>
+
+// Workaround for noreturn functions: _exit - see the clang
+// definition of FORBIDDEN_FUNCTION_NORETURN_ATTRIBUTE.
+#ifdef __clang__
+#include <unistd.h>
+#endif
+
+// If needed, add os::strndup and use that instead.
+FORBID_C_FUNCTION(char* strndup(const char*, size_t), "don't use");
+
+// These are unimplementable for Windows, and they aren't useful for a
+// POSIX implementation of NMT either.
+// https://stackoverflow.com/questions/62962839/stdaligned-alloc-missing-from-visual-studio-2019
+FORBID_C_FUNCTION(int posix_memalign(void**, size_t, size_t), "don't use");
+FORBID_C_FUNCTION(void* aligned_alloc(size_t, size_t), "don't use");
+
+// realpath with a null second argument mallocs a string for the result.
+// With a non-null second argument, there is a risk of buffer overrun.
+PRAGMA_DIAG_PUSH
+FORBIDDEN_FUNCTION_IGNORE_CLANG_FORTIFY_WARNING
+FORBID_C_FUNCTION(char* realpath(const char*, char*), "use os::realpath");
+PRAGMA_DIAG_POP
+
+// Returns a malloc'ed string.
+FORBID_C_FUNCTION(char* get_current_dir_name(), "use os::get_current_directory");
+
+// Problematic API that should never be used.
+FORBID_C_FUNCTION(char* getwd(char*), "use os::get_current_directory");
+
+// BSD utility that is subtly different from realloc.
+FORBID_C_FUNCTION(void* reallocf(void*, size_t), "use os::realloc");
+
+#endif // OS_POSIX_FORBIDDENFUNCTIONS_POSIX_HPP