Enforce io.netty.maxDirectMemory accounting on all Java versions (#16489)

j-bahr · chrisvest · web-flow · commit 7937553d8f49 · 2026-03-23T21:08:38.000Z
**Motivation**:

Netty selects a Cleaner implementation based on the Java version and
whether `sun.misc.Unsafe` is available. The selection matrix is:
```
  Java version   | Unsafe available | Cleaner selected
  ───────────────|──────────────────|─────────────────────
  6-8            | Yes              | DirectCleaner
  9-23           | Yes              | DirectCleaner
  24             | Yes (warnings)   | DirectCleaner
  24             | No, native access| CleanerJava24Linker
  25+            | No, native access| CleanerJava24Linker
  25+            | No               | CleanerJava25
```
Before this change, direct memory accounting (`incrementMemoryCounter` /
`decrementMemoryCounter`) was coupled to `USE_DIRECT_BUFFER_NO_CLEANER`,
which was only true when Unsafe was available. This had two
consequences:

1. `DIRECT_MEMORY_COUNTER` was only initialized inside the
`USE_DIRECT_BUFFER_NO_CLEANER=true` branch, so on any Java version
without Unsafe the counter was always null even if the user explicitly
set `io.netty.maxDirectMemory`.

2. The accounting calls themselves lived only in PlatformDependent's
legacy NoCleaner methods (`allocateDirectNoCleaner`,
`reallocateDirectNoCleaner`, `freeDirectNoCleaner`), which were only
called by DirectCleaner. The other Cleaner implementations
(`CleanerJava9`, `CleanerJava6`, `CleanerJava24Linker`, `CleanerJava25`)
never called these methods and performed no accounting.

The combined effect was that the configured limit was silently ignored
on every path that didn't go through DirectCleaner:
```
  Java version   | Unsafe | Cleaner             | Counter init | Accounting
  ───────────────|────────|─────────────────────|──────────────|───────────
  6-8            | Yes    | DirectCleaner       | Yes          | Yes ✓
  9-23           | Yes    | DirectCleaner       | Yes          | Yes ✓
  24             | Yes    | DirectCleaner       | Yes          | Yes ✓
  24             | No     | CleanerJava24Linker | No           | No  ✗
  25+            | No     | CleanerJava24Linker | No           | No  ✗
  25+            | No     | CleanerJava25       | No           | No  ✗
```
On Java 25+, where Unsafe is disabled by default, this means
`io.netty.maxDirectMemory` has no effect at all.

**Modifications**:

- Decouple `DIRECT_MEMORY_COUNTER` initialization from Unsafe
availability. The counter is now created based solely on the value of
`io.netty.maxDirectMemory`, independent of
`USE_DIRECT_BUFFER_NO_CLEANER`.

- Move accounting into each Cleaner's `CleanableDirectBufferImpl` so
that every allocation/deallocation pair tracks memory regardless of
which Cleaner is active:
- `DirectCleaner`: increment in `CleanableDirectBufferImpl(int
capacity)` constructor, decrement in `clean()`.
  - `CleanerJava9`: increment in constructor, decrement in `clean()`.
  - `CleanerJava6`: increment in constructor, decrement in `clean()`.
- `CleanerJava24Linker`: increment before `malloc()`, decrement in
`clean()`, with rollback on allocation failure.
- `CleanerJava25`: increment in `allocate()` before MethodHandle invoke,
decrement in `clean()` via finally block.

- Change `incrementMemoryCounter`/`decrementMemoryCounter` from private
to package-private so Cleaner implementations (same package) can call
them directly.

- Add a default `reallocate(CleanableDirectBuffer, int)` method to the
Cleaner interface with an allocate-copy-free fallback. DirectCleaner
overrides this with in-place `Unsafe.reallocateMemory`, adjusting the
counter by the delta.

- Add `PlatformDependent.reallocateDirect()` as the unified public entry
point for reallocation.

- Remove the legacy NoCleaner API surface from PlatformDependent:
`allocateDirectNoCleaner`, `allocateDirectBufferNoCleaner`,
`reallocateDirectNoCleaner`, `reallocateDirectBufferNoCleaner`, and
`freeDirectNoCleaner`.

- Remove `USE_DIRECT_BUFFER_NO_CLEANER` and `DIRECT_CLEANER` fields.
`CLEANER` is now the single entry point; `useDirectBufferNoCleaner()`
returns whether `CLEANER` is an instance of DirectCleaner.

- Update `UnpooledUnsafeNoCleanerDirectByteBuf` to use the new unified
API: remove the `allocateDirectBuffer()` override (parent's impl now
does the right thing via `PlatformDependent.allocateDirect()`), and
delegate `reallocateDirect()` to `PlatformDependent.reallocateDirect()`.

- Update `PlatformDependentTest.testAllocateWithCapacity0()` to use the
new CleanableDirectBuffer-based API.

**Result**:

After this change, the accounting matrix becomes:
```
  Java version   | Unsafe | Cleaner             | Counter init | Accounting
  ───────────────|────────|─────────────────────|──────────────|───────────
  6-8            | Yes    | DirectCleaner       | Yes          | Yes ✓
  9-23           | Yes    | DirectCleaner       | Yes          | Yes ✓
  24             | Yes    | DirectCleaner       | Yes          | Yes ✓
  24             | No     | CleanerJava24Linker | Yes          | Yes ✓
  25+            | No     | CleanerJava24Linker | Yes          | Yes ✓
  25+            | No     | CleanerJava25       | Yes          | Yes ✓
```
`io.netty.maxDirectMemory` is now enforced on all Java versions and all
Cleaner implementations. The legacy raw-ByteBuffer NoCleaner API surface
is eliminated, and each `CleanableDirectBuffer` is responsible for its
own accounting.

---------

Co-authored-by: Chris Vest &lt;mr.chrisvest@gmail.com&gt;
diff --git a/buffer/src/main/java/io/netty/buffer/UnpooledByteBufAllocator.java b/buffer/src/main/java/io/netty/buffer/UnpooledByteBufAllocator.java
@@ -68,7 +68,7 @@ public UnpooledByteBufAllocator(boolean preferDirect, boolean disableLeakDetecto
      * @param disableLeakDetector {@code true} if the leak-detection should be disabled completely for this
      *                            allocator. This can be useful if the user just want to depend on the GC to handle
      *                            direct buffers when not explicit released.
-     * @param tryNoCleaner {@code true} if we should try to use {@link PlatformDependent#allocateDirectNoCleaner(int)}
+     * @param tryNoCleaner {@code true} if we should try to use {@link PlatformDependent#allocateDirect(int)}
      *                            to allocate direct memory.
      */
     public UnpooledByteBufAllocator(boolean preferDirect, boolean disableLeakDetector, boolean tryNoCleaner) {
@@ -195,10 +195,11 @@ protected CleanableDirectBuffer allocateDirectBuffer(int capacity, boolean permi
         }
 
         @Override
-        CleanableDirectBuffer reallocateDirect(CleanableDirectBuffer oldBuffer, int initialCapacity) {
-            int capacity = oldBuffer.buffer().capacity();
-            CleanableDirectBuffer buffer = super.reallocateDirect(oldBuffer, initialCapacity);
-            return new DecrementingCleanableDirectBuffer(alloc(), buffer, buffer.buffer().capacity() - capacity);
+        CleanableDirectBuffer reallocateDirect(CleanableDirectBuffer oldBuffer, int newCapacity) {
+            int oldCapacity = oldBuffer.buffer().capacity();
+            CleanableDirectBuffer buffer = super.reallocateDirect(oldBuffer, newCapacity);
+            return new DecrementingCleanableDirectBuffer(
+                    alloc(), buffer, buffer.buffer().capacity() - oldCapacity);
         }
     }
 
diff --git a/buffer/src/main/java/io/netty/buffer/UnpooledUnsafeNoCleanerDirectByteBuf.java b/buffer/src/main/java/io/netty/buffer/UnpooledUnsafeNoCleanerDirectByteBuf.java
@@ -25,23 +25,13 @@ class UnpooledUnsafeNoCleanerDirectByteBuf extends UnpooledUnsafeDirectByteBuf {
         super(alloc, initialCapacity, maxCapacity);
     }
 
-    @Override
-    protected CleanableDirectBuffer allocateDirectBuffer(int capacity) {
-        return PlatformDependent.allocateDirectBufferNoCleaner(capacity);
-    }
-
-    @Override
-    protected CleanableDirectBuffer allocateDirectBuffer(int capacity, boolean ignorePermitExpensiveClean) {
-        return PlatformDependent.allocateDirectBufferNoCleaner(capacity);
-    }
-
     @Override
     protected ByteBuffer allocateDirect(int initialCapacity) {
         throw new UnsupportedOperationException();
     }
 
-    CleanableDirectBuffer reallocateDirect(CleanableDirectBuffer oldBuffer, int initialCapacity) {
-        return PlatformDependent.reallocateDirectBufferNoCleaner(oldBuffer, initialCapacity);
+    CleanableDirectBuffer reallocateDirect(CleanableDirectBuffer oldBuffer, int newCapacity) {
+        return PlatformDependent.reallocateDirect(oldBuffer, newCapacity);
     }
 
     @Override
diff --git a/common/src/main/java/io/netty/util/internal/Cleaner.java b/common/src/main/java/io/netty/util/internal/Cleaner.java
@@ -30,6 +30,26 @@ interface Cleaner {
      */
     CleanableDirectBuffer allocate(int capacity);
 
+    /**
+     * Reallocate a direct buffer with a new capacity. The old buffer is consumed and
+     * must not be used after this call.
+     * <p>
+     * The default implementation allocates a new buffer, copies the data, and frees the old one.
+     * Implementations may override this to provide more efficient reallocation (e.g. via
+     * {@code Unsafe.reallocateMemory}).
+     */
+    default CleanableDirectBuffer reallocate(CleanableDirectBuffer old, int newCapacity) {
+        CleanableDirectBuffer newBuf = allocate(newCapacity);
+        ByteBuffer oldBB = old.buffer();
+        ByteBuffer newBB = newBuf.buffer();
+        int bytesToCopy = Math.min(oldBB.capacity(), newCapacity);
+        oldBB.position(0).limit(bytesToCopy);
+        newBB.position(0).limit(bytesToCopy);
+        newBB.put(oldBB).clear();
+        old.clean();
+        return newBuf;
+    }
+
     /**
      * Free a direct {@link ByteBuffer} if possible
      *
diff --git a/common/src/main/java/io/netty/util/internal/CleanerJava24Linker.java b/common/src/main/java/io/netty/util/internal/CleanerJava24Linker.java
@@ -236,11 +236,19 @@ private static final class CleanableDirectBufferImpl implements CleanableDirectB
         private final long memoryAddress;
 
         private CleanableDirectBufferImpl(int capacity) {
-            long addr = malloc(capacity);
+            PlatformDependent.incrementMemoryCounter(capacity);
+            long addr;
+            try {
+                addr = malloc(capacity);
+            } catch (Throwable e) {
+                PlatformDependent.decrementMemoryCounter(capacity);
+                throw e;
+            }
             try {
                 memoryAddress = addr;
                 buffer = (ByteBuffer) INVOKE_CREATE_BYTEBUFFER.invokeExact(addr, (long) capacity);
             } catch (Throwable throwable) {
+                PlatformDependent.decrementMemoryCounter(capacity);
                 Error error = new Error(throwable);
                 try {
                     free(addr);
@@ -258,7 +266,9 @@ public ByteBuffer buffer() {
 
         @Override
         public void clean() {
+            int capacity = buffer.capacity();
             free(memoryAddress);
+            PlatformDependent.decrementMemoryCounter(capacity);
         }
 
         @Override
diff --git a/common/src/main/java/io/netty/util/internal/CleanerJava25.java b/common/src/main/java/io/netty/util/internal/CleanerJava25.java
@@ -169,11 +169,14 @@ static boolean isSupported() {
     @SuppressWarnings("OverlyStrongTypeCast") // The cast is needed for 'invokeExact' semantics.
     @Override
     public CleanableDirectBuffer allocate(int capacity) {
+        PlatformDependent.incrementMemoryCounter(capacity);
         try {
             return (CleanableDirectBufferImpl) INVOKE_ALLOCATOR.invokeExact(capacity);
         } catch (RuntimeException e) {
+            PlatformDependent.decrementMemoryCounter(capacity);
             throw e; // Propagate the runtime exceptions that the Arena would normally throw.
         } catch (Throwable e) {
+            PlatformDependent.decrementMemoryCounter(capacity);
             throw new IllegalStateException("Unexpected allocation exception", e);
         }
     }
@@ -209,12 +212,15 @@ public ByteBuffer buffer() {
 
         @Override
         public void clean() {
+            int capacity = buffer.capacity();
             try {
                 closeable.close();
             } catch (RuntimeException e) {
                 throw e; // Propagate the runtime exceptions that Arena would normally throw.
             } catch (Exception e) {
                 throw new IllegalStateException("Unexpected close exception", e);
+            } finally {
+                PlatformDependent.decrementMemoryCounter(capacity);
             }
         }
 
diff --git a/common/src/main/java/io/netty/util/internal/CleanerJava6.java b/common/src/main/java/io/netty/util/internal/CleanerJava6.java
@@ -156,6 +156,7 @@ private static final class CleanableDirectBufferImpl implements CleanableDirectB
 
         private CleanableDirectBufferImpl(ByteBuffer buffer) {
             this.buffer = buffer;
+            PlatformDependent.incrementMemoryCounter(buffer.capacity());
         }
 
         @Override
@@ -165,7 +166,9 @@ public ByteBuffer buffer() {
 
         @Override
         public void clean() {
+            int capacity = buffer.capacity();
             freeDirectBufferStatic(buffer);
+            PlatformDependent.decrementMemoryCounter(capacity);
         }
     }
 }
diff --git a/common/src/main/java/io/netty/util/internal/CleanerJava9.java b/common/src/main/java/io/netty/util/internal/CleanerJava9.java
@@ -133,6 +133,7 @@ private static final class CleanableDirectBufferImpl implements CleanableDirectB
 
         private CleanableDirectBufferImpl(ByteBuffer buffer) {
             this.buffer = buffer;
+            PlatformDependent.incrementMemoryCounter(buffer.capacity());
         }
 
         @Override
@@ -142,7 +143,9 @@ public ByteBuffer buffer() {
 
         @Override
         public void clean() {
+            int capacity = buffer.capacity();
             freeDirectBufferStatic(buffer);
+            PlatformDependent.decrementMemoryCounter(capacity);
         }
     }
 }
diff --git a/common/src/main/java/io/netty/util/internal/DirectCleaner.java b/common/src/main/java/io/netty/util/internal/DirectCleaner.java
@@ -20,28 +20,50 @@
 final class DirectCleaner implements Cleaner {
     @Override
     public CleanableDirectBuffer allocate(int capacity) {
-        return new CleanableDirectBufferImpl(PlatformDependent.allocateDirectNoCleaner(capacity));
+        return new CleanableDirectBufferImpl(capacity);
+    }
+
+    @Override
+    public CleanableDirectBuffer reallocate(CleanableDirectBuffer old, int newCapacity) {
+        int oldCapacity = old.buffer().capacity();
+        int delta = newCapacity - oldCapacity;
+        PlatformDependent.incrementMemoryCounter(delta);
+        try {
+            ByteBuffer newBuffer = PlatformDependent0.reallocateDirectNoCleaner(
+                    old.buffer(), newCapacity);
+            return new CleanableDirectBufferImpl(newBuffer);
+        } catch (Throwable e) {
+            PlatformDependent.decrementMemoryCounter(delta);
+            throw e;
+        }
     }
 
     @Override
     public void freeDirectBuffer(ByteBuffer buffer) {
-        PlatformDependent.freeDirectNoCleaner(buffer);
+        PlatformDependent0.freeMemory(PlatformDependent0.directBufferAddress(buffer));
     }
 
     @Override
     public boolean hasExpensiveClean() {
         return false;
     }
 
-    CleanableDirectBuffer reallocate(CleanableDirectBuffer buffer, int capacity) {
-        ByteBuffer newByteBuffer = PlatformDependent.reallocateDirectNoCleaner(buffer.buffer(), capacity);
-        return new CleanableDirectBufferImpl(newByteBuffer);
-    }
-
     private static final class CleanableDirectBufferImpl implements CleanableDirectBuffer {
         private final ByteBuffer buffer;
 
-        private CleanableDirectBufferImpl(ByteBuffer buffer) {
+        // Used for normal allocation — allocates memory and increments counter
+        CleanableDirectBufferImpl(int capacity) {
+            PlatformDependent.incrementMemoryCounter(capacity);
+            try {
+                this.buffer = PlatformDependent0.allocateDirectNoCleaner(capacity);
+            } catch (Throwable e) {
+                PlatformDependent.decrementMemoryCounter(capacity);
+                throw e;
+            }
+        }
+
+        // Used for reallocation — memory already allocated, counter already adjusted
+        CleanableDirectBufferImpl(ByteBuffer buffer) {
             this.buffer = buffer;
         }
 
@@ -52,7 +74,9 @@ public ByteBuffer buffer() {
 
         @Override
         public void clean() {
-            PlatformDependent.freeDirectNoCleaner(buffer);
+            int capacity = buffer.capacity();
+            PlatformDependent0.freeMemory(PlatformDependent0.directBufferAddress(buffer));
+            PlatformDependent.decrementMemoryCounter(capacity);
         }
     }
 }
diff --git a/common/src/main/java/io/netty/util/internal/OutOfDirectMemoryError.java b/common/src/main/java/io/netty/util/internal/OutOfDirectMemoryError.java
@@ -18,7 +18,7 @@
 import java.nio.ByteBuffer;
 
 /**
- * {@link OutOfMemoryError} that is throws if {@link PlatformDependent#allocateDirectNoCleaner(int)} can not allocate
+ * {@link OutOfMemoryError} that is throws if {@link PlatformDependent#allocateDirect(int)} can not allocate
  * a new {@link ByteBuffer} due memory restrictions.
  */
 public final class OutOfDirectMemoryError extends OutOfMemoryError {
diff --git a/common/src/main/java/io/netty/util/internal/PlatformDependent.java b/common/src/main/java/io/netty/util/internal/PlatformDependent.java
diff --git a/common/src/test/java/io/netty/util/internal/PlatformDependentTest.java b/common/src/test/java/io/netty/util/internal/PlatformDependentTest.java

Original file line number	Diff line number	Diff line change
`@@ -156,6 +156,7 @@ private static final class CleanableDirectBufferImpl implements CleanableDirectB`
`156`	`156`
`157`	`157`	`private CleanableDirectBufferImpl(ByteBuffer buffer) {`
`158`	`158`	`this.buffer = buffer;`
	`159`	`+ PlatformDependent.incrementMemoryCounter(buffer.capacity());`
`159`	`160`	`}`
`160`	`161`
`161`	`162`	`@Override`
`@@ -165,7 +166,9 @@ public ByteBuffer buffer() {`
`165`	`166`
`166`	`167`	`@Override`
`167`	`168`	`public void clean() {`
	`169`	`+ int capacity = buffer.capacity();`
`168`	`170`	`freeDirectBufferStatic(buffer);`
	`171`	`+ PlatformDependent.decrementMemoryCounter(capacity);`
`169`	`172`	`}`
`170`	`173`	`}`
`171`	`174`	`}`
Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,7 @@ private static final class CleanableDirectBufferImpl implements CleanableDirectB`
`133`	`133`
`134`	`134`	`private CleanableDirectBufferImpl(ByteBuffer buffer) {`
`135`	`135`	`this.buffer = buffer;`
	`136`	`+ PlatformDependent.incrementMemoryCounter(buffer.capacity());`
`136`	`137`	`}`
`137`	`138`
`138`	`139`	`@Override`
`@@ -142,7 +143,9 @@ public ByteBuffer buffer() {`
`142`	`143`
`143`	`144`	`@Override`
`144`	`145`	`public void clean() {`
	`146`	`+ int capacity = buffer.capacity();`
`145`	`147`	`freeDirectBufferStatic(buffer);`
	`148`	`+ PlatformDependent.decrementMemoryCounter(capacity);`
`146`	`149`	`}`
`147`	`150`	`}`
`148`	`151`	`}`