SecurityManager dies not with a bang, but a whimper. The professor who taught a generally-misguided Java elective extolled the benefits of the security manager whenever he could. I was tremendously skeptical at the time. I'm inappropriately smug to have been proven right now, several decades later.
I really want structured concurrency out of preview!! I think it helps close one of the last gaps golang has over Java in the ease-of-concurrent-programming side of things. Go makes channels and waitgroups pretty easy. I think structured concurrency is a great side-step of those primitives by actually making the higher-level tasks you use those tools to accomplish easier to write and reason about. Continuing a trend I see where go tends to have somewhat better primitives, but then obstinately does nothing with them to actually make the higher-level tasks easier to accomplish.
No pinning virtual threads is huge. Finally you can virtual thread with near-wild abandon, as God intended.
Love seeing Streams still getting love. I do a lot of fizzbuzz-esque interviews (the "can you code your way out of a paper bag" type screens) for my company and I think it says a lot that, in general, people who pick Java and use streams pass but people who don't use streams often get tripped up in their loop logic and fail (or, even if they don't fail per se, don't pass). It says a lot about ergonomics and intuitiveness, and also the power of the abstraction to tersely and compactly solve real problems, when a language is a big ally in interviews. And the cool thing about Java streams is that they're as powerful as Ruby's functional-style operation chaining (arr.map{}.reduce(:+) etc) but they're actually performant. I feel it also bears mentioning that people who use Ruby in these interviews, few as they are, almost always pass and do so while writing very few LOC :)
Go is the poster child for not having structured concurrency, the article that started this movement was an explicit take down of go’s concurrency primitive “go func” being dangerous.
I think Kotlin still leads here, and even the Java changes don’t have the same nice ergonomics you get with Kotlin’s DSL. Would love to see more tenseness from Kotlin leak into Java.
Yet, like most Go design decisions, they will end up retrofiting what should have been there.
Kotlin has the issue of being a guest language, and wanting to play in many playgrounds, eventually it will diverge as it always happens.
As it is already happening, like now how will Kotlin async deal with virtual threads expectations, including writing portable code that doesn't suffer from runtime semantics, depending on the target platform.
I stopped at "go statements are a form of goto statement."
This is simply not correct. They have some diagrams and squinted and said "hey, that looks the same as a goto statement", but unfortunatley they have their diagrams wrong. "go func" will run at scheduler's pleasure, not immediately after the statement "go func..". A goto statement is a deterministic flow control directive. It will goto where you tell it.
Security Manager is one of the only unique selling points of Java, to remove it (without removing it because you need it underneath) is as big of a blunder as removing Applets from browsers and replacing it with something worse: WASM without GC and then adding GC to WASM...
If SVTwP is not better than NIO; Java ends with JDK 23.
> Warnings issued in JDK 17–23 generated minimal discussion in the Java ecosystem
Because no feature added after 1.8 made sense, so nobody upgraded. They are taking decisions off the wrong data.
> they are encouraged to transition to alternative sandboxing and API interception mechanisms
Unique, sure. Selling point? I really don't think so. This idea of "safely" running untrusted code in the jvm sandbox both never materialized (constant stream of sandbox-escape vulns i've seen over the years) and also was at the wrong level - anyone doing multi-tenant code execution is doing it via things like gvisor or at the OS-level.
I don't think I buy your assertion that nobody has upgraded. I know of a 3000-4000-strong eng org at a certain company that has upgraded all the way from 8 to 17 as of when i left 3 years ago. They primarily wanted the GC improvements because they translated into huge immediate efficiency gains on their workloads (huge Spark/Hadoop spend savings, and moderate savings for the non-big-data jvm workloads).
I do share your lament of applets though. It would've been a way better runtime for portable/install-less/JIT-install things than the current nightmare of html/css/js/etc. But they just didn't have the browser integration - it would've needed to be more than just "look we put a drawing surface into the web browser" - and they didn't have the "window into the world" either (that's browsers). Unfortunately, it's the front door program and platform that owns the users, and that's web browsers.
The Security Manager was dead as soon as applets ceased to be relevant (which happened a long time before WASM appeared btw.). Deploying the Security Manager requires designing the application up front for it as well as maintaining policy files. Most developers are not aware how to do either.
But its biggest weakness is that it has to restrict a lot of overly powerful APIs. That's like spooning water with a sieve. It would have been better to let the host application restrict which APIs are visible in the first place, like it is done with browser APIs.
The projects that didn't upgrade so far are either dusty business-crirical applications that nobody cares to touch or that utterly deprioritize upgrades unless circumstances force them to. Most of the new features make a lot of sense, but nobody is going to gamble their job on forcing an upgrade just to being able to use them.
To suppress things like `System.exit(0)`, agents can be used. Proper sandboxing solutions would be VMs and containerization technologies. Achieving perfect sandboxing within a process is hopeless anyway.
> I really want structured concurrency out of preview!!
I'm guessing they thought it couldn't hurt to do another round of testing. Since OpenJDK 25 will be an LTS release, I suspect it will go out of preview in the next release.
> No pinning virtual threads is huge. Finally you can virtual thread with near-wild abandon, as God intended.
I see that formerly it pinned virtual threads "when it executes code inside a synchronized block or method", and "frequent pinning for long durations can harm the scalability of an application by capturing carriers". You were supposed to "avoid frequent and long-lived pinning by revising synchronized blocks or methods that run frequently and guard potentially long I/O operations to use java.util.concurrent.locks.ReentrantLock instead."
How big a problem was this in practice? On the one hand, I think "harm the scalability" is putting it mildly—if you have a whole bunch of virtual threads doing IO, only running num_cores of them at once is devastating. On the other hand, holding a lock while doing IO smells wrong. Is this really common?
It can deadlock and cause crashes if you do use a library impacted. It's sometimes hard to tell and you'd have to dig into the source. Sometimes the library maintainer wouldn't update the code to a different method for <reasons>.
> Is this really common?
Yes, maybe not in obvious ways e.g. many developers use Spring, which is backed by a large organization and you'd assume to have things covered but under the hood Spring itself uses many libraries and some often open source without much support (can be a personal project by a single developer).
I think in practice it has to do with some libs (eg jdbc drivers) that would be relying on synchronized. If the performance with vthreads was much worse for some cases it would be a bit of failure
I'm glad they're working on it but I still can't help but my miss async/await.
In C# the API is a bit overturned for sharing a GUI thread but it does the job. Structured Concurrency makes the scopes more obvious but I'm worried about the ergonomics. What is the core use case for the design? Is it just to make collecting a set of concurrent tasks bullet proof? Are we going to see scopes abused and passed around to handle the non-happy path of "a function always ends before it's caller."
It doesn't seem to service GUI programming all that well. I guess there's still Kotlin's approach but hopefully something happens on the Java side.
"Is it just to make collecting a set of concurrent tasks bullet proof?"
At a surface level, yeah basically. And ask anyone who's used python's multiprocessing how hard that is to actually get completely right.
I don't think structured concurrency is going to be some panacea of multiprocessing at all. It's to address code you'd see in golang that's like, make a waitgroup, fire off N goroutines, wait for success and gather errors. That code is not incredibly fun in Java right now.
w.r.t. async/await, imo the beauty of virtual threads is that you've no longer got function coloring, and the "await"s are free, implicit, and performant. and of course you're never precluded from using higher level application locks that have always been there, including synchronized now.
Also, specifically w.r.t. gui programming, I think Java is unfortunately kind of stuck. JavaFX has been put into the back of the closet, Swing is completely ossified (though tbh I still like it), and what energy is there behind any non-electron/web GUI development anymore anyway? In a world where vscode, one of the most popular new "IDEs"/IDE platforms, is written in a frickin web browser, and mobile apps dominate a huge % of what constitutes "native" GUI development, I don't really blame Java for not prioritizing it beyond keeping Swing working on e.g. hiDPI displays and so on.
> Java streams is that they're as powerful as Ruby's functional-style operation chaining (arr.map{}.reduce(:+) etc)
This is not a unique Ruby feature though. Iterators are very common nowadays. Java streams have okay performance, much like .NET's LINQ you likely won't be able to use them in a really performance-sensitive code (although LINQ is improving quite a bit with each new release, overall it performs moderately to significantly faster than Java Streams, but usually slower than Rust iterators).
ALL? no. but based on my read of the article's linked bit on thread pinning, it seems like it has been substantially resolved, and remaining pinning scenarios are quite rare (they mention you can look for them in JFR).
JEP 484: Classfile API is going to be huge. It will take a while for full adoption, but finally being able abstract the backend of ByteBuddy/ASM/etc will be a gigantic boon. Being able to read/write classifies is one of the biggest hurdles at upgrade time.
They are both free (Oracle relaxed their license in 2021) with some caveats. If you choose Oracle, to continue to be free, you must always use latest Java version, otherwise you need to pay for security patches. This means updating every 6 months with each Java release.
Unless you need Oracle's JDK specifically, use one of several certified OpenJDK distributions. Amazon Coretto is a popular choice and they already have a v24 version. There are a few others. Temurin (weird name but basically the eclipse.org one) doesn't yet have one but is popular.
At this point there is no/little functional difference between distributions. The main reasons for using Oracle's distribution are usually non-technical and have to do with compliance, existing license & support agreements with Oracle.
Unless you are a bank (or similar organization) that has deals with Oracle on this or your CIO/CTO/legal tells you to use Oracle, you should avoid Oracle. There is no technical advantage and you potentially expose yourself to complicated licensing and commercial requirements and related auditing requirements.
All OpenJDK distributions, from all vendors, are also licensed by Oracle (which develops OpenJDK) with the GPLv2+CPE licence. The vendors build Oracle's source code and host branded binaries. If you file an issue, unless it's a problem with the build, they just forward it to Oracle.
Oracle also distributes the JDK with that same licence here: https://jdk.java.net, so there are two Oracle distributions with two different licences, both free but one open-source.
Yes. Oracle version is not free anymore: you need at least an Oracle product to use it.
As far as I know, it is "free of charge" if you have an Oracle DB license.
So avoid oracle version outside enterprise contract
Java’s version growth has been interesting to watch the past few years. I remember thinking “wow 9 is out, now 10, 11 is an LTS, we’ll go to that”. Still on Java 8. Too much other things to do.
It sure is weird seeing such high numbers. After pivoting away from java for a new job 4 years ago, I still get confused when people from 'old job' talk about how Java 24 is now here.
Kinda fun to think about that we'll have Java 30 before 2030 iirc.
Surprised nobody mentioned JEP 491 [1] yet. Basically it ensures the "synchronized" keyword can no longer mess up virtual threads. That's a big win for running existing code in virtual threads.
What will be the implications of this? e.g. Can we now handle more req/sec on I/O blocking services, because more requests can be serviced by VTs and they will not be blocked waiting for IO, so kinda like Node.js async model (for free) but with multiple threads?
That was always possible and the whole point of virtual threads. This concerns reliability. So far there was this annoying papercut of virtual threads not freeing up their carrier thread when they were waiting to enter a `synchronized` lock. That could easily lead to reduced throughput or even deadlocks when all carrier threads got pinned.
Readit News
I really want structured concurrency out of preview!! I think it helps close one of the last gaps golang has over Java in the ease-of-concurrent-programming side of things. Go makes channels and waitgroups pretty easy. I think structured concurrency is a great side-step of those primitives by actually making the higher-level tasks you use those tools to accomplish easier to write and reason about. Continuing a trend I see where go tends to have somewhat better primitives, but then obstinately does nothing with them to actually make the higher-level tasks easier to accomplish.
No pinning virtual threads is huge. Finally you can virtual thread with near-wild abandon, as God intended.
Love seeing Streams still getting love. I do a lot of fizzbuzz-esque interviews (the "can you code your way out of a paper bag" type screens) for my company and I think it says a lot that, in general, people who pick Java and use streams pass but people who don't use streams often get tripped up in their loop logic and fail (or, even if they don't fail per se, don't pass). It says a lot about ergonomics and intuitiveness, and also the power of the abstraction to tersely and compactly solve real problems, when a language is a big ally in interviews. And the cool thing about Java streams is that they're as powerful as Ruby's functional-style operation chaining (arr.map{}.reduce(:+) etc) but they're actually performant. I feel it also bears mentioning that people who use Ruby in these interviews, few as they are, almost always pass and do so while writing very few LOC :)
https://vorpus.org/blog/notes-on-structured-concurrency-or-g...
I think Kotlin still leads here, and even the Java changes don’t have the same nice ergonomics you get with Kotlin’s DSL. Would love to see more tenseness from Kotlin leak into Java.
Kotlin has the issue of being a guest language, and wanting to play in many playgrounds, eventually it will diverge as it always happens.
As it is already happening, like now how will Kotlin async deal with virtual threads expectations, including writing portable code that doesn't suffer from runtime semantics, depending on the target platform.
I stopped at "go statements are a form of goto statement."
This is simply not correct. They have some diagrams and squinted and said "hey, that looks the same as a goto statement", but unfortunatley they have their diagrams wrong. "go func" will run at scheduler's pleasure, not immediately after the statement "go func..". A goto statement is a deterministic flow control directive. It will goto where you tell it.
If SVTwP is not better than NIO; Java ends with JDK 23.
> Warnings issued in JDK 17–23 generated minimal discussion in the Java ecosystem
Because no feature added after 1.8 made sense, so nobody upgraded. They are taking decisions off the wrong data.
> they are encouraged to transition to alternative sandboxing and API interception mechanisms
Feel free to link to anything useful!
I don't think I buy your assertion that nobody has upgraded. I know of a 3000-4000-strong eng org at a certain company that has upgraded all the way from 8 to 17 as of when i left 3 years ago. They primarily wanted the GC improvements because they translated into huge immediate efficiency gains on their workloads (huge Spark/Hadoop spend savings, and moderate savings for the non-big-data jvm workloads).
I do share your lament of applets though. It would've been a way better runtime for portable/install-less/JIT-install things than the current nightmare of html/css/js/etc. But they just didn't have the browser integration - it would've needed to be more than just "look we put a drawing surface into the web browser" - and they didn't have the "window into the world" either (that's browsers). Unfortunately, it's the front door program and platform that owns the users, and that's web browsers.
Nothing sticks out, except container companies are probably very happy?
I wonder if the guys working on this did a search before starting: https://github.com/search?type=code&q=AccessController.doPri... (187k files)
But its biggest weakness is that it has to restrict a lot of overly powerful APIs. That's like spooning water with a sieve. It would have been better to let the host application restrict which APIs are visible in the first place, like it is done with browser APIs.
The projects that didn't upgrade so far are either dusty business-crirical applications that nobody cares to touch or that utterly deprioritize upgrades unless circumstances force them to. Most of the new features make a lot of sense, but nobody is going to gamble their job on forcing an upgrade just to being able to use them.
To suppress things like `System.exit(0)`, agents can be used. Proper sandboxing solutions would be VMs and containerization technologies. Achieving perfect sandboxing within a process is hopeless anyway.
I'm guessing they thought it couldn't hurt to do another round of testing. Since OpenJDK 25 will be an LTS release, I suspect it will go out of preview in the next release.
I see that formerly it pinned virtual threads "when it executes code inside a synchronized block or method", and "frequent pinning for long durations can harm the scalability of an application by capturing carriers". You were supposed to "avoid frequent and long-lived pinning by revising synchronized blocks or methods that run frequently and guard potentially long I/O operations to use java.util.concurrent.locks.ReentrantLock instead."
How big a problem was this in practice? On the one hand, I think "harm the scalability" is putting it mildly—if you have a whole bunch of virtual threads doing IO, only running num_cores of them at once is devastating. On the other hand, holding a lock while doing IO smells wrong. Is this really common?
It can deadlock and cause crashes if you do use a library impacted. It's sometimes hard to tell and you'd have to dig into the source. Sometimes the library maintainer wouldn't update the code to a different method for <reasons>.
> Is this really common?
Yes, maybe not in obvious ways e.g. many developers use Spring, which is backed by a large organization and you'd assume to have things covered but under the hood Spring itself uses many libraries and some often open source without much support (can be a personal project by a single developer).
In C# the API is a bit overturned for sharing a GUI thread but it does the job. Structured Concurrency makes the scopes more obvious but I'm worried about the ergonomics. What is the core use case for the design? Is it just to make collecting a set of concurrent tasks bullet proof? Are we going to see scopes abused and passed around to handle the non-happy path of "a function always ends before it's caller."
It doesn't seem to service GUI programming all that well. I guess there's still Kotlin's approach but hopefully something happens on the Java side.
At a surface level, yeah basically. And ask anyone who's used python's multiprocessing how hard that is to actually get completely right.
I don't think structured concurrency is going to be some panacea of multiprocessing at all. It's to address code you'd see in golang that's like, make a waitgroup, fire off N goroutines, wait for success and gather errors. That code is not incredibly fun in Java right now.
w.r.t. async/await, imo the beauty of virtual threads is that you've no longer got function coloring, and the "await"s are free, implicit, and performant. and of course you're never precluded from using higher level application locks that have always been there, including synchronized now.
Also, specifically w.r.t. gui programming, I think Java is unfortunately kind of stuck. JavaFX has been put into the back of the closet, Swing is completely ossified (though tbh I still like it), and what energy is there behind any non-electron/web GUI development anymore anyway? In a world where vscode, one of the most popular new "IDEs"/IDE platforms, is written in a frickin web browser, and mobile apps dominate a huge % of what constitutes "native" GUI development, I don't really blame Java for not prioritizing it beyond keeping Swing working on e.g. hiDPI displays and so on.
This is not a unique Ruby feature though. Iterators are very common nowadays. Java streams have okay performance, much like .NET's LINQ you likely won't be able to use them in a really performance-sensitive code (although LINQ is improving quite a bit with each new release, overall it performs moderately to significantly faster than Java Streams, but usually slower than Rust iterators).
Just like I expect WebAssembly security conversation to change when folks start plugging components left and right, beyond straight compute logic.
I think you were proven right at least a decade ago. As you said, this is just the final whimper.
Have ALL previous pinning scenarios been resolved, including native calls?
Raspberry 2 and Vision Five 2 are very future proof peices of hardware that Oracle and OpenJDK ignores!
At this point there is no/little functional difference between distributions. The main reasons for using Oracle's distribution are usually non-technical and have to do with compliance, existing license & support agreements with Oracle.
Unless you are a bank (or similar organization) that has deals with Oracle on this or your CIO/CTO/legal tells you to use Oracle, you should avoid Oracle. There is no technical advantage and you potentially expose yourself to complicated licensing and commercial requirements and related auditing requirements.
Oracle also distributes the JDK with that same licence here: https://jdk.java.net, so there are two Oracle distributions with two different licences, both free but one open-source.
Understandable. Depending on your use-case, sure go ahead and stay there.
However keep in mind that you're missing out on a lot of stuff. Java 8 is like literally from 11 years ago.
[1] https://openjdk.org/jeps/491
I will compare my NIO multiplayer system to SVTwP (Sync. Virt. Threads without Pinning) and report back!