JNI bugfixes #1687
JNI bugfixes #1687
Conversation
Unlike a C FFI where we need some mechanism to signal an error state, with JNI thrown exceptions trigger as soon as the JNI function returns. These functions had no declared return value on the Kotlin side and thus were not using the returned boolean in any way; this change fixes the type signatures to match.
| @@ -1809,7 +1802,7 @@ pub extern "C" fn Java_cash_z_ecc_android_sdk_internal_jni_RustBackend_proposeTr | |||
| let network = parse_network(network_id as u32)?; | |||
There was a problem hiding this comment.
On line 1801 the wrong method name is used in the info_span!.
| let memo = utils::java_nullable_bytes_to_rust(env, &memo)? | ||
| .as_deref() | ||
| .map(MemoBytes::from_bytes) | ||
| .transpose() | ||
| .map_err(|e| anyhow!("Invalid MemoBytes: {}", e))?; |
There was a problem hiding this comment.
This pattern occurs twice (also in RustBackend.proposeShielding); consider adding a nullable_memo_bytes_from_jni helper.
| let seed_fingerprint = | ||
| utils::java_nullable_bytes_to_rust(env, &seed_fingerprint_bytes)? | ||
| .and_then(|b| b.as_slice().try_into().ok()) | ||
| .map(SeedFingerprint::from_bytes); |
There was a problem hiding this comment.
Although this happens to only be used once, it's doing the same kind of thing as the other conversion functions, so I might be inclined to add a nullable_seed_fingerprint_from_jni helper anyway.
| let addr = utils::java_string_to_rust(env, &addr)?; | ||
|
|
||
| match Address::decode(&network, &addr) { | ||
| Some(addr) => match addr { |
There was a problem hiding this comment.
Consider this helper:
fn parse_address(env: &JNIEnv, network_id: jint, addr: JString) -> anyhow::Result<ZcashAddress> {
let network = parse_network(network_id as u32)?;
let addr = utils::java_string_to_rust(env, &addr)?;
Address::decode(&network, &addr).ok_or(anyhow!("Address is for the wrong network"))
}Then lines 830-839 become just:
match parse_address(network_id, addr)? {
Address::Sapling(_) => Ok(JNI_TRUE),
Address::Transparent(_) | Address::Unified(_) | Address::Tex(_) => Ok(JNI_FALSE),
}This can also be used in isValid{Transparent,Unified,Tex}Address, saving 15 non-blank lines overall I think.
| @@ -2036,12 +2025,12 @@ pub extern "C" fn Java_cash_z_ecc_android_sdk_internal_jni_RustBackend_createPro | |||
| let network = parse_network(network_id as u32)?; | |||
There was a problem hiding this comment.
On line 2024 the wrong method name is used in the info_span!.
There was a problem hiding this comment.
I checked all other uses of info_span! and made comments for any inconsistencies.
| @@ -2169,8 +2157,7 @@ pub extern "C" fn Java_cash_z_ecc_android_sdk_internal_jni_RustBackend_requiresS | |||
| let res = catch_unwind(&mut env, |env| { | |||
| let _span = tracing::info_span!("RustBackend.pcztRequiresSaplingProofs").entered(); | |||
There was a problem hiding this comment.
This is the name used in Kotlin at the wrapper layer, but at the JNI layer it is called requiresSaplingProofs. In other cases the name is the same. Rename the JNI method to pcztRequiresSaplingProofs.
There was a problem hiding this comment.
We cannot rename the JNI method, because the arguments between the extern function and the Backend trait method are identical. You'll see I use different names for several such methods, whereas when the Backend trait method has fewer arguments (e.g. due to us inserting a db_data path for the JNI) we use the same method name.
There was a problem hiding this comment.
It might be better to systematically use a different name (e.g. add an ffi prefix), rather than sometimes use the same name and sometimes a different one.
| @@ -2169,8 +2157,7 @@ pub extern "C" fn Java_cash_z_ecc_android_sdk_internal_jni_RustBackend_requiresS | |||
| let res = catch_unwind(&mut env, |env| { | |||
| let _span = tracing::info_span!("RustBackend.pcztRequiresSaplingProofs").entered(); | |||
|
|
|||
| let pczt = Pczt::parse(&env.convert_byte_array(pczt)?[..]) | |||
| .map_err(|e| anyhow!("Invalid PCZT: {:?}", e))?; | |||
| let pczt = parse_pczt(env, &pczt)?; | |||
|
|
|||
| let prover = Prover::new(pczt); | |||
|
|
|||
There was a problem hiding this comment.
Aside (just below): I'm perplexed that there is no From<bool> for jboolean. Doesn't matter I guess; this pattern only occurs once. Filed jni-rs/jni-rs#564
| @@ -1050,7 +1050,7 @@ pub extern "C" fn Java_cash_z_ecc_android_sdk_internal_jni_RustBackend_writeBloc | |||
| _: JClass<'local>, | |||
| db_cache: JString<'local>, | |||
| block_meta: JObjectArray<'local>, | |||
| ) -> jboolean { | |||
There was a problem hiding this comment.
The same argument applies to initBlockMetaDb: the return value is always discarded.
There was a problem hiding this comment.
utACK with non-blocking suggestions. The errors in info_span! strings should be addressed but it would be fine to do so in another PR.
Note that, as pointed out in #1688, there are easily fixable clippy lint failures. Also needs ktlint --format.
| env.get_string(jstring) | ||
| .expect("Couldn't get Java string!") | ||
| .into() | ||
| pub(crate) fn java_bytes_to_rust(env: &JNIEnv, jbytes: &JByteArray) -> anyhow::Result<Vec<u8>> { |
There was a problem hiding this comment.
This could be jbytes: JByteArray since it is effectively already a pointer (see the comment on parse_secret).
There was a problem hiding this comment.
Leaving as-is because the method it wraps takes a reference, and this method doesn't do anything special on top (the type-specific helper methods do by comparison; they effectively are converting type, so we want to move there).
| (!jstring.is_null()).then(|| java_string_to_rust(env, jstring)) | ||
| pub(crate) fn java_nullable_bytes_to_rust( | ||
| env: &JNIEnv, | ||
| jbytes: &JByteArray, |
There was a problem hiding this comment.
This could be jbytes: JByteArray since it is effectively already a pointer (see the comment on parse_secret).
| .transpose() | ||
| } | ||
|
|
||
| pub(crate) fn java_string_to_rust(env: &mut JNIEnv, jstring: &JString) -> anyhow::Result<String> { |
There was a problem hiding this comment.
This could be jstring: JString since it is effectively already a pointer (see the comment on parse_secret).
|
|
||
| pub(crate) fn java_nullable_string_to_rust( | ||
| env: &mut JNIEnv, | ||
| jstring: &JString, |
There was a problem hiding this comment.
This could be jstring: JString since it is effectively already a pointer (see the comment on parse_secret).
| impl zcash_address::TryFromRawAddress for UnifiedAddressParser { | ||
| type Error = anyhow::Error; | ||
|
|
||
| fn try_from_raw_unified( | ||
| data: zcash_address::unified::Address, | ||
| ) -> Result<Self, zcash_address::ConversionError<Self::Error>> { | ||
| data.try_into() | ||
| .map(UnifiedAddressParser) | ||
| .map_err(|e| anyhow!("Invalid Unified Address: {}", e).into()) | ||
| } | ||
| } |
There was a problem hiding this comment.
Why not just use https://github.com/zcash/librustzcash/blob/main/zcash_keys/src/address.rs#L28?
It's really weird to me to have to go through TryFromRawAddress for these straightforward operations.
There was a problem hiding this comment.
(I mean, why not use it directly?)
There was a problem hiding this comment.
I am using that; it's the data.try_into() call. The rest of the TryFromRawAddress machinery here is ensuring that if someone passes a string that isn't a UA (and is instead some other kind of address, or not an address at all), we get correct errors.
There was a problem hiding this comment.
Ah. So, looking at the call sites of parse_ua, what is the reason to restrict these to unified addresses? If we parsed an arbitrary ZcashAddress at these call sites, we could still extract the transparent and/or Sapling receivers if present.
There was a problem hiding this comment.
That might be worth considering, but that's outside the scope of this PR.
This fixes multiple JNI type signature inconsistencies, and cleans up argument handling on the Rust side to be less error-prone.
fixes #1657, fixes #1684
Author
Reviewer
Footnotes
Code often looks different when reviewing the diff in a browser, making it easier to spot potential bugs. ↩
While we aim for automated testing of the SDK, some aspects require manual testing. If you had to manually test
something during development of this pull request, write those steps down. ↩
While we are not looking for perfect coverage, the tool can point out potential cases that have been missed. Code coverage can be generated with:
./gradlew checkfor Kotlin modules and./gradlew connectedCheck -PIS_ANDROID_INSTRUMENTATION_TEST_COVERAGE_ENABLED=truefor Android modules. ↩Having your code up to date and squashed will make it easier for others to review. Use best judgement when squashing commits, as some changes (such as refactoring) might be easier to review as a separate commit. ↩
In addition to a first pass using the code review guidelines, do a second pass using your best judgement and experience which may identify additional questions or comments. Research shows that code review is most effective when done in multiple passes, where reviewers look for different things through each pass. ↩
While the CI server runs the demo app to look for build failures or crashes, humans running the demo app are
more likely to notice unexpected log messages, UI inconsistencies, or bad output data. Perform this step last, after verifying the code changes are safe to run locally. ↩