Guice 6.0.0 version Uses internal APIs: sun.misc.Unsafe and not compatible with Java 17/21

Question

Guice 6.0.0 version Uses internal APIs: sun.misc.Unsafe and not compatible with Java 17/21

Opened this issue 6 months ago · 8 comments

Hi Team,

I am planning to run my application Java 21, when I run "jdeps --multi-release 21 -jdkinternals" scan I am getting below report for Guice 6.0.0 version

"Uses internal APIs: sun.misc.Unsafe "

Which version of Guice onwards it is compatible with Java 21?

Thanks
Ashok.

Answer 1 · 2025-05-08T07:27:24.000Z

Guice 7 is compatible to JDK 23

Answer 2 · 2025-06-02T06:47:43.000Z

Maven is also affected:
~~https://issues.apache.org/jira/browse/MNG-8760~~

apache/maven#10312

Answer 3 · 2025-06-02T09:38:22.000Z

@slawekjaranowski thank you for the update.

Answer 4 · 2025-06-02T09:54:04.000Z

@ilapavuluri for me issue still exist, so should not be closed as complete.

To be clear, should be commented, that is not planned and so on ... and close as not planned or not close when should be fixed.

Answer 5 · 2025-07-17T15:03:28.000Z

Maven is also affected:
https://issues.apache.org/jira/browse/MNG-8760

Note that that issue has moved to apache/maven#10312 .

It's odd that such a critical issue (which will block usage in upcoming Java versions, and is already proving irritating in worldwide toolchains with Maven) doesn't even have an indication of whether the issue will be addressed ever.

Answer 6 · 2025-07-18T16:31:49.000Z

@slawekjaranowski , the Maven team may want to start looking into alternatives to Google Guice, if there is no motivation at Google in making it compliant with upcoming Java versions. You'll notice that Guice 7.0.0 was released over two years ago, with no releases since then. As noted in another discussion, their efforts seem to have shifted to Dagger. The Maven team should probably start thinking of backup plans now, as no one on the Guice team has bothered to give a status and there is no indication that anything will get done.

Answer 7 · 2025-07-18T17:32:45.000Z

My 2 cents: If you need to support modern versions of Java, steer clear of Google libraries. They have a history of dragging their feet or refusing altogether to fix these kinds of issues. It took us 8 years to convince them to add module-info.java to Guava and honestly I'm surprised it happened in the end: google/guava#2970

Answer 8 · 2025-09-20T11:33:09.000Z

I might be misunderstanding here, but is this not just a case of Google bundling a META-INF/versions/15 directory with a modified version of...

      theUnsafe = UnsafeGetter.getUnsafe();
      Field trustedLookupField = Lookup.class.getDeclaredField("IMPL_LOOKUP");
      trustedLookupBase = theUnsafe.staticFieldBase(trustedLookupField);
      trustedLookupOffset = theUnsafe.staticFieldOffset(trustedLookupField);
      hiddenClassOptions = classOptions("NESTMATE");
      hiddenDefineMethod =
          Lookup.class.getMethod(
              "defineHiddenClass", byte[].class, boolean.class, hiddenClassOptions.getClass());

...that calls the public API for this?

https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/invoke/MethodHandles.Lookup.html#defineHiddenClass(byte%5B%5D,boolean,java.lang.invoke.MethodHandles.Lookup.ClassOption...)

Or just that invokes it dynamically if available first, and falls back to a version that works pre-Java 15?

Not sure I understand why this has to be achieved via unsafe reflection if the public API has existed since Java 15?

On the topic of moving off of Guice... not sure if that is a simple fix or not since I believe Guice is used between Eclipse Sisu and Plexus within Maven to provide the CDI integration that underpins most of how Maven operates. Agree though that eventually a solution will need to be found once OpenJDK totally rip out sun.misc.Unsafe here.