Dissecting Memory Sessions

November 2022

For new users of the Foreign Function and Memory API (FFM API in short), the concept of memory session can seem jarring at first. Memory sessions force users to think explicitly about the lifetime of the memory segments they wish to create. Because of that, almost invariably, the first knee-jerk reaction is along the lines “but are memory sessions really needed?”

There are several forces pushing the FFM API towards a notion of a lifetime that can be shared across multiple segments:

The last point is especially important: in a way, the ability of creating an unsafe native memory segment, with given (raw) base address, size, session and cleanup action is the true primitive of the FFM API. Once we have that capability, we can easily express any kind of native segment: mapped segments, upcall segments, lookup symbols and variable-argument lists are nothing but simple wrappers around the unsafe native segment factory. For instance, a safe factory for native segments can be expressed as follows:

All this leads to an API where (perhaps surprisingly) segments are not individually allocated and/or released. Instead, the lifetime of multiple segments is managed in an atomic and centralized fashion, as follows:

Memory sessions especially shine in the context of native interop. When interacting with native code, memory sessions help developers managing lifetime of logically related allocations, with relative ease, as demonstrated in [1-8]. However, memory sessions are not simple to use, nor easy to understand, especially for users that are new to the FFM API.

This document has three goals: first, to highlight the issues that contribute to the perceived complexity of memory sessions; secondly, to discuss how to improve the status quo, primarily by teasing apart the various roles of memory sessions into separate abstractions; finally, to show how memory sessions could be integrated, with minor tweaks, with future enhancements, such as support for structured memory sessions.

Memory sessions: one lump too many?

There's no question that memory sessions are useful tools to manage lifetime of foreign memory. However, as defined in Java 19, the memory session API can look quite daunting at first:

There are many factors contributing to the complexity of memory sessions, some of which are necessary, but some which are more accidental. In the following sections we will discuss some problematic aspects of memory sessions.

Sessions and allocators

Memory sessions are not pure lifetime abstractions, as they also implement the SegmentAllocator interface. This was a result of a compromise the FFM API had to make, given that it is sometimes handy to be able to pass a MemorySession instance where a SegmentAllocator is expected. While this move is a pragmatic one, it creates some duplication in the API, as there's no difference between MemorySession::allocate and MemorySegment::allocateNative. And, the API does not provide solutions for clients who wish to associate a custom allocation strategy with a memory session. In such cases, clients would have to manage session and allocation abstractions independently, as shown below:

This is clearly suboptimal: now the client has two allocators: session (since MemorySession implements SegmentAllocator) and allocator , and it is up to developers to use the correct one. Ideally, what the code would like to do is to create a custom allocator, which can be wrapped in a try-with-resources block, and use that. But doing that is not trivial, primarily because an allocator cannot be used where a session is expected, and exposing a session accessor from the custom allocator can be problematic (as we shall see in a later section).

Closing sessions

Some sessions can be closed explicitly, such as those created via MemorySession::openConfined or MemorySession::openShared. But this is not captured in the API, which does not differentiate between sessions that can be closed explicitly and sessions that can never be closed (MemorySession::global) or sessions that are only closed implicitly, by the garbage collector (MemorySession::openImplicit). Moreover, having all memory sessions implement AutoCloseable is also problematic: code such as MemorySession.global().allocate(100) can easily lead to warnings, as an AutoCloseable resource (the session) is used without a try-with-resources block.

Sharing segments

When MemorySession was first added to the FFM API in Java 17 (back then it was called ResourceScope), our aim has been to move the close operation away from memory segments [9]. However, that problem was never fully addressed: since clients might need to co-allocate a segment into an existing session (e.g. this is useful if a new segment should contain pointers to the existing segment), all memory segments expose a session accessor:

Accessing a segment session is crucial to allow co-allocation. But having session accessors in segments is a risky move: since a session can be closed, clients of a segment can first access the segment session and then close it, thus potentially breaking encapsulation. This is a questionable API choice, especially when compared with other capability-based APIs: a MethodHandle doesn't expose the MethodHandles.Lookup instance with which it was created; nor does a Future exposes the ExecutorService which created it.

Our attempts at dropping session accessors [11] have not been successful. First, while we could simply remove the accessors and add some extra methods (e.g. liveness predicates) on MemorySegment, doing so would come at the expense of the important co-allocation use case. Second, memory segments are not the only entities which might expose session accessors, as custom allocator abstractions (as discussed above) might need those too: consider a SegmentAllocator which implements AutoCloseable, whose allocated segments are associated with the same lifetime.

For these reasons, the Java 19 API ended up with another compromise: all sessions are closeable, and segment clients can always access the segment session. But API writers can obtain a non-closeable view of an existing session: that is, a session that denotes the same lifetime as the original session, but whose close method always throws an exception:

The above code creates a session (privateSession) and then allocates a segment in a non-closeable view of privateSession. As a result, clients will not be able to close the session associated with the returned segment.

Equals, hashCode, isCloseable

Once we buy the idea of having multiple views associated with a given lifetime, we need some ways to compare them. E.g. a client might wish to compare two non-closeable session views, and ask whether they are associated with the same lifetime. In other words, memory sessions should implement equals/hashCode. And, since now we have some sessions views that cannot be closed, the MemorySession::isCloseable predicate is also required. Unfortunately, the isCloseable predicate is itself a source of confusion. For instance, it might be odd that a session whose isCloseable predicate returns false can be still closed, either explicitly (from another session, for which the predicate yields true), or implicitly (by the garbage collector). That is, all sessions are closeable (except for the global session), in some way or another.

Owner thread

Some memory sessions (e.g. confined sessions) can have an owner thread. The owner thread, when set, determines which thread can close the session and access segments associated with that session. Exposing the owner thread directly, as FFM does, is problematic, for a couple of reasons. First, the MemorySession::ownerThread method is leaking too much information - the only sensible thing clients can do with the returned thread is to compare it either against null, or Thread.currentThread(). Secondly, the method conflates session ownership and access capabilities. As we shall see, other kinds of sessions are possible, structured sessions, which can be closed by one thread (the owner thread), but can be accessed by multiple threads.

Keeping sessions alive

In a world where segments can be invalidated at any time (even racily, by threads running concurrently), it might be sometimes desirable to keep the session associated with a memory segment alive for a period of time, e.g. while performing a certain critical operation. The memory session API provides a method to do this, namely MemorySession::whileAlive, which runs a user-defined action while keeping a session alive. This method works, but can only be used, effectively, in a stack-confined situation, e.g. where the computation can be expressed using a lambda expression. As we have seen in [10], other, more unstructured cases, are also possible (e.g. async I/O operations).

Close actions

The MemorySession::addCloseAction method was originally intended for attaching cleanup actions to unsafe native segments, i.e. created using MemorySession::ofAddress. Looking at existing code using the FFM API [1-8], it is clear that this method has become an attractive nuisance, where many uses of this method could be replaced by a finally block. Even worse, having a way to be notified when a session becomes invalid brings up uncomfortable questions: should a client be notified before, or after a session is closed? The only thing the FFM API can do safely is the latter, but any custom cleanup logic the client might wish to run on some segments allocated in a session would require the former.

Session factories

There are several memory session factories. First, there is a singleton global session, a session that is always alive and cannot be closed (see MemorySession::global). Then there's a factory to create a new implicit memory session, which cannot be closed explicitly, but is closed implicitly, by the garbage collector (see MemorySession::openImplicit). Then we have factories to create new confined and shared sessions (see MemorySession::openConfined and MemorySession::openShared, respectively). These latter factories come with overloads, as clients can also create sessions that are both explicitly and implicitly closeable. This functionality is never used in practice [1-8]. Supporting confined sessions that can also be closed implicitly is problematic: confined sessions are meant to be accessed by a single thread, but cleaners typically run on a different thread (the Java 19 implementation needs to handle these cases with extreme care). And, even in the shared case, there is evident overlapping with MemorySession::openImplicit - and clients could still (manually) take a shared closeable session and have its close method called by a cleaner (this is done in [3]).

Towards more principled sessions

The memory session API seems to be doing too many things at once. As we have seen, a session acts as a lifetime abstraction for memory segments, which is critical to ensure that access operations on memory segments are temporally safe. Furthermore, memory sessions enable the important co-allocation use case (see above).

But a memory session is also a capability: it has a close method which can be used by clients to atomically and deterministically invalidate all segments associated with that session. The lack of separation between the lifetime and capability roles of memory sessions is a red herring: as we have seen, it creates the need, for API developers, to protect against untrusted close (MemorySession::asNonCloseableView), which in turn leads to even more API noise (e..g MemorySession::equals, MemorySession::hashCode and MemorySession::isCloseable). And, sessions also act as allocators, but, as we have seen it is not very easy for clients to create custom temporally-bounded allocators.

What if we had a simpler memory session abstraction? Something like this:

Here, MemorySession does not have a close method, nor does it implement AutoCloseable/SegmentAllocator. That is, MemorySession is now a pure lifetime abstraction, with some thread-confinement properties coming along for the ride. It is easy to see that, with a MemorySession defined this way, there is no issue with exposing a session accessor from memory segments (or from custom allocators) - after all, a session cannot be closed. Another advantage is that the above definition makes it clearer that implicit sessions and the global session cannot be closed explicitly. Overall, this seems a good step forward.


But what if clients want to take advantage of deterministic deallocation? We could introduce a separate abstraction, called arena:

An arena is a closeable allocator that is associated with a session - the arena session. All the segments allocated by the arena are associated with the arena session. When the arena is closed, the underlying session (which can be either shared or confined) is closed, thus invalidating all the segments associated with the arena session. Since arenas implement AutoCloseable, client code can be expressed succinctly, as follows:

In other words, client code can use Arena pretty much in the same way they would use MemorySession in the Java 19 API.

Custom arenas

The attentive reader might have noted the relationship between arenas and sessions. An arena has a session. This means there's nothing too special about an arena: an arena is just a temporally-bounded abstraction, associated with some memory session (in the same way a memory segment is). This makes it easy to define custom temporally-bounded abstractions, based on Arena, as shown below:

A custom arena is just a class wrapping an Arena and adding some custom behavior, like pre- or post-close actions, and/or support for custom allocation strategies. Since exposing session accessors is now completely safe, the custom arena can just return the session associated with the wrapped arena, without the need to take extra precautions (such as resorting to non-closeable session views, as in the Java 19 API).

Sharper close actions

The ability to add close actions to an entire session is handy, but also overly general, and prone to both misunderstanding and abuse. The method MemorySession::addCloseAction could be easily replaced with an additional overload of MemorySegment::ofAddress which allows clients to attach a Runnable to an unsafely created native segments. This would still cover the vast majority of use cases, without compromising readability of the code using the FFM API. If a client wants to define an arena with custom pre- or post-close actions, they can do so by defining a custom arena, as shown in the above section.

Structured arenas (optional)

All the arenas we have seen so far are completely unstructured. That is, they can be closed at any time, and, in case of a shared session, accessed (and closed) by any thread. Conversely, structured arenas build on the same principle behind Loom's StructuredTaskScope abstraction [12]: the session associated with a structured arena can only be closed by the thread that created it, but it can be safely accessed not just by a single thread, but by all the threads forked inside that arena (e.g. using a StructuredTaskScope) - these threads keep the structured session alive:

As shown above, a structured session is something that sits in between confined sessions and shared sessions. It can only be closed by the thread that created it (as a confined session), but it can be accessed by multiple threads (as a shared session), all the threads that have been forked from a StructuredTaskScope nested inside the structured arena's try-with-resources block. Any attempt to close a structured arena when any of the threads accessing it have not yet terminated, will result in a StructureViolationException.

More temporal predicates (optional)

With the addition of structured session, clients might be interested to ask whether a session is nested inside another session. In other words, comparing two sessions for equality might not be enough in the world of structured sessions. To accommodate this, we might add a method on sessions, namely MemorySession::isAliveIn(MemorySession) which returns true if a session is always alive in the context of the provided session. As a bonus, we could make this method always return true if the provided session is the global session (since all sessions can be seen as nested inside the global session, which is always alive).

Unstructured dependencies (optional)

Structured arenas are handy, not only because they provide the flexibility of shared sessions with none of the costs, but also because they allow programs to reason about lifetime containment (e.g. the MemorySession::isAliveIn). Consider an hypothetical factory for two-dimensional matrices, such as the one below:

This factory takes a session, namely the lifetime associated with the returned matrix instance, and an external buffer, presumably containing the data associated with the matrix to be created. Now, for this API to work safely, and w/o the possibilities of JVM crashes, the factory would need to ensure that some temporal dependency exists between matrixSession and matrixBuffer. In other words:

Now, for structured sessions, we can imagine non-trivial cases where this check would succeed. But for plain unstructured sessions, we quickly run out of gas: the only case we can safely support is if either the buffer is associated with matrixSession, or if the buffer is associated with the global session.

It would be interesting to allow for ad-hoc dependencies between unstructured sessions to be expressed in the FFM API, following the approach described in [10]. If we had dependencies between unstructured sessions, we then could write code like this:

The above code creates a new confined arena, which declares an explicit dependency on the buffer session. This means that the buffer session cannot be closed until the arena is also closed. Since there's a clear lifetime dependency between the matrix session and the buffer session, MemorySession::isAliveIn returns true, and the matrix creation succeeds.

Finer-grained ownership predicates

We have seen how MemorySession::ownerThread cannot handle cases where a session can be accessed by more thread than just the owner (which is the case for structured session). We can replace ownerThread with a better set of predicates:

The new predicates are, crucially, more granular, allowing clients to distinguish between ownership (who can call close) and access. Under this new light, our various session kinds can be clearly classified as follows:

As a nice bonus, the new predicates also fully encapsulate the session's owner thread.


By dropping AutoCloseable and SegmentAllocator, we can turnMemorySession into a pure lifetime abstraction: since there's no close method, sessions can always be shared safely, and there's no need for MemorySession::asNonCloseable . This, in turn, allows us to also drop isCloseable, equals and hashCode from the API. We can also leave out MemorySession::addCloseAction - as that can be replaced with a more focused API (e.g. overload of MemorySegment::ofAddress, see above). In fact, this new Runnable-accepting unsafe segment factory is the true primitive on top of which mapped segments, upcall segments and library symbol segments are all built.

Moreover, a session is no longer a SegmentAllocator. The addition of the separate Arena API allows us to simplify user code in the vastly common case [1-8] where a bunch of logically related allocations occurs within a single code block. Moreover, arenas provide a solid foundation for building custom temporal abstractions, such as custom allocators.

Since structured sessions have a well-behaved close semantics, clients using them do not have to worry about premature close: methods like MemorySession::whileAlive are no-op on structured sessions. And, as virtual threads will be used more and more to turn asynchronous code into synchronous one, whileAlive might just be good enough, especially if we also add dependencies between unstructured sessions.

By providing a clear separation between the lifetime and capability roles of the memory session API, not only we have arrived at an API that looks conceptually simpler than the API in Java 19, but also one on top of which clients can build custom temporal abstractions in a more clean and predictable fashion.

Appendix: Full API

We report below, for completeness, the full API of MemorySession and Arena which includes all the tweaks discussed in the previous sections.

The methods in (1) and (2) are associated with optional extensions. More specifically, methods in (1) add support for structured sessions, whereas methods in (2) add support for dependencies between unstructured sessions.


[1] - https://github.com/manuelbl/JavaDoesUSB [2] - https://github.com/carldea/panama4newbies [3] - https://github.com/rmaucher/openssl-panama-foreign [4] - https://github.com/openjdk/jextract [5] - https://github.com/netty/netty-incubator-buffer-api [6] - https://github.com/apache/lucene [7] - https://github.com/cryptomator/jfuse [8] - https://github.com/jzy3d/panama-gl [9] - https://inside.java/2021/01/25/memory-access-pulling-all-the-threads/ [10] - https://inside.java/2021/10/12/panama-scope-dependencies/ [11] - https://mail.openjdk.org/pipermail/panama-dev/2022-February/016152.html [12] - https://docs.oracle.com/en/java/javase/19/docs/api/jdk.incubator.concurrent/jdk/incubator/concurrent/StructuredTaskScope.html