RFR(S): 8221175: Fix bad function case for controlled JVM crash on PPC64 big-endian
Hi, Please, could I get reviews for the following change? bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/ It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines. On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1]. Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function. It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed. The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines. That issue was found when investigating the JDK-8220794 issue [2]. Thank you. Best regards, Gustavo [1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
Hi On 2019-03-22 12:15 p.m., Gustavo Romero wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
Looks good, but not a reviewer. Chris
Hi Chris, On 03/22/2019 03:05 PM, Chris Phillips wrote:
Hi
On 2019-03-22 12:15 p.m., Gustavo Romero wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/
[SNIP]
Looks good, but not a reviewer.
Thanks a lot for reviewing it Chris. I'll add you as a (r)eviewer to the commit message after I get more inputs from hotspot-runtime-dev ML. Best regards, Gustavo
Hi Gustavo, looks good. Would be nice to cleanly factor function descriptor handling out at some point: we have various pieces, e.g. a struct FunctionDescriptor in assembler_ppc.hpp, a resolve function in os_aix.cpp, now this... also, I believe, on AIX there is a struct FunctionDescriptor in os headers, but I may remember this wrong. But cleanup can be done in a different change. Thanks for fixing! Cheers, Thomas On Fri, Mar 22, 2019 at 5:15 PM Gustavo Romero <gromero@linux.vnet.ibm.com> wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
Hi Thomas! On 03/23/2019 05:43 PM, Thomas Stüfe wrote:
Hi Gustavo,
looks good.
Thanks a lot for reviewing it and for your comments!
Would be nice to cleanly factor function descriptor handling out at some point: we have various pieces, e.g. a struct FunctionDescriptor in assembler_ppc.hpp, a resolve function in os_aix.cpp, now this... also, I believe, on AIX there is a struct FunctionDescriptor in os headers, but I may remember this wrong.
But cleanup can be done in a different change.
Unfortunately I don't have access to AIX systems, so I can't test/work on AIX (that's one of the reasons I decided to CC ppc-aix-port-dev). I overlooked 'struct FunctionDescriptor' presence. All headers look in place, so how about using FunctionDescritor instead of an array? webrev v2: http://cr.openjdk.java.net/~gromero/8221175/v2/ Cheers, Gustavo
Thanks for fixing!
Cheers, Thomas
On Fri, Mar 22, 2019 at 5:15 PM Gustavo Romero <gromero@linux.vnet.ibm.com <mailto:gromero@linux.vnet.ibm.com>> wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/ <http://cr.openjdk.java.net/%7Egromero/8221175/v1/>
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
Hi Gustavo, On Sun 24. Mar 2019 at 20:20, Gustavo Romero <gromero@linux.vnet.ibm.com> wrote:
Hi Thomas!
On 03/23/2019 05:43 PM, Thomas Stüfe wrote:
Hi Gustavo,
looks good.
Thanks a lot for reviewing it and for your comments!
Would be nice to cleanly factor function descriptor handling out at some point: we have various pieces, e.g. a struct FunctionDescriptor in assembler_ppc.hpp, a resolve function in os_aix.cpp, now this... also, I believe, on AIX there is a struct FunctionDescriptor in os headers, but I may remember this wrong.
But cleanup can be done in a different change.
Unfortunately I don't have access to AIX systems, so I can't test/work on AIX (that's one of the reasons I decided to CC ppc-aix-port-dev).
I overlooked 'struct FunctionDescriptor' presence. All headers look in place, so how about using FunctionDescritor instead of an array?
webrev v2:
Make sure this builds with precompiled headers disabled. I am guessing you miss inclusion of assembler_ppc.hpp here. Otherwise looks good. Cheers, thomas
Cheers, Gustavo
Thanks for fixing!
Cheers, Thomas
On Fri, Mar 22, 2019 at 5:15 PM Gustavo Romero < gromero@linux.vnet.ibm.com <mailto:gromero@linux.vnet.ibm.com>> wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/ < http://cr.openjdk.java.net/%7Egromero/8221175/v1/>
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
Hi Thomas, On 03/24/2019 04:37 PM, Thomas Stüfe wrote:
Make sure this builds with precompiled headers disabled. I am guessing you miss inclusion of assembler_ppc.hpp here.
Otherwise looks good.
Thanks for the review! I tested without explicitly including assembler_ppc.hpp (v2 change) by building on a brand new ./build dir and also with --disable-precompiled-headers. On both cases it builds fine. I'll push it today to jdk/jdk. Cheers, Gustavo
Thanks for checking and fixing! .. Thomas On Mon, Mar 25, 2019, 5:12 PM Gustavo Romero <gromero@linux.vnet.ibm.com> wrote:
Hi Thomas,
On 03/24/2019 04:37 PM, Thomas Stüfe wrote:
Make sure this builds with precompiled headers disabled. I am guessing you miss inclusion of assembler_ppc.hpp here.
Otherwise looks good.
Thanks for the review!
I tested without explicitly including assembler_ppc.hpp (v2 change) by building on a brand new ./build dir and also with --disable-precompiled-headers. On both cases it builds fine.
I'll push it today to jdk/jdk.
Cheers, Gustavo
Looks good, too. Best, Goetz
-----Original Message----- From: ppc-aix-port-dev <ppc-aix-port-dev-bounces@openjdk.java.net> On Behalf Of Gustavo Romero Sent: Sonntag, 24. März 2019 20:21 To: Thomas Stüfe <thomas.stuefe@gmail.com> Cc: ppc-aix-port-dev@openjdk.java.net; Daniel D. Daugherty <daniel.daugherty@oracle.com>; hotspot-runtime-dev@openjdk.java.net Subject: Re: RFR(S): 8221175: Fix bad function case for controlled JVM crash on PPC64 big-endian
Hi Thomas!
On 03/23/2019 05:43 PM, Thomas Stüfe wrote:
Hi Gustavo,
looks good.
Thanks a lot for reviewing it and for your comments!
Would be nice to cleanly factor function descriptor handling out at some point: we have various pieces, e.g. a struct FunctionDescriptor in assembler_ppc.hpp, a resolve function in os_aix.cpp, now this... also, I believe, on AIX there is a struct FunctionDescriptor in os headers, but I may remember this wrong.
But cleanup can be done in a different change.
Unfortunately I don't have access to AIX systems, so I can't test/work on AIX (that's one of the reasons I decided to CC ppc-aix-port-dev).
I overlooked 'struct FunctionDescriptor' presence. All headers look in place, so how about using FunctionDescritor instead of an array?
webrev v2:
http://cr.openjdk.java.net/~gromero/8221175/v2/
Cheers, Gustavo
Thanks for fixing!
Cheers, Thomas
On Fri, Mar 22, 2019 at 5:15 PM Gustavo Romero <gromero@linux.vnet.ibm.com <mailto:gromero@linux.vnet.ibm.com>> wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/ <http://cr.openjdk.java.net/%7Egromero/8221175/v1/>
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC- elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
Hi Goetz, On 03/25/2019 05:32 AM, Lindenmaier, Goetz wrote:
Looks good, too.
Thanks a lot for the review. Should I run it against submit tests before pushing? It's a change in shared code, but it can't affect other architectures. Best regards, Gustavo
Best, Goetz
-----Original Message----- From: ppc-aix-port-dev <ppc-aix-port-dev-bounces@openjdk.java.net> On Behalf Of Gustavo Romero Sent: Sonntag, 24. März 2019 20:21 To: Thomas Stüfe <thomas.stuefe@gmail.com> Cc: ppc-aix-port-dev@openjdk.java.net; Daniel D. Daugherty <daniel.daugherty@oracle.com>; hotspot-runtime-dev@openjdk.java.net Subject: Re: RFR(S): 8221175: Fix bad function case for controlled JVM crash on PPC64 big-endian
Hi Thomas!
On 03/23/2019 05:43 PM, Thomas Stüfe wrote:
Hi Gustavo,
looks good.
Thanks a lot for reviewing it and for your comments!
Would be nice to cleanly factor function descriptor handling out at some point: we have various pieces, e.g. a struct FunctionDescriptor in assembler_ppc.hpp, a resolve function in os_aix.cpp, now this... also, I believe, on AIX there is a struct FunctionDescriptor in os headers, but I may remember this wrong.
But cleanup can be done in a different change.
Unfortunately I don't have access to AIX systems, so I can't test/work on AIX (that's one of the reasons I decided to CC ppc-aix-port-dev).
I overlooked 'struct FunctionDescriptor' presence. All headers look in place, so how about using FunctionDescritor instead of an array?
webrev v2:
http://cr.openjdk.java.net/~gromero/8221175/v2/
Cheers, Gustavo
Thanks for fixing!
Cheers, Thomas
On Fri, Mar 22, 2019 at 5:15 PM Gustavo Romero <gromero@linux.vnet.ibm.com <mailto:gromero@linux.vnet.ibm.com>> wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/ <http://cr.openjdk.java.net/%7Egromero/8221175/v1/>
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC- elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
Should I run it against submit tests before pushing? It's a change in shared code, but it can't affect other architectures. I think it's safe to be pushed.
Best regards, Goetz.
Best regards, Gustavo
Best, Goetz
-----Original Message----- From: ppc-aix-port-dev <ppc-aix-port-dev-bounces@openjdk.java.net> On Behalf Of Gustavo Romero Sent: Sonntag, 24. März 2019 20:21 To: Thomas Stüfe <thomas.stuefe@gmail.com> Cc: ppc-aix-port-dev@openjdk.java.net; Daniel D. Daugherty <daniel.daugherty@oracle.com>; hotspot-runtime-dev@openjdk.java.net Subject: Re: RFR(S): 8221175: Fix bad function case for controlled JVM crash on PPC64 big-endian
Hi Thomas!
On 03/23/2019 05:43 PM, Thomas Stüfe wrote:
Hi Gustavo,
looks good.
Thanks a lot for reviewing it and for your comments!
Would be nice to cleanly factor function descriptor handling out at some point: we have various pieces, e.g. a struct FunctionDescriptor in assembler_ppc.hpp, a resolve function in os_aix.cpp, now this... also, I believe, on AIX there is a struct FunctionDescriptor in os headers, but I may remember this wrong.
But cleanup can be done in a different change.
Unfortunately I don't have access to AIX systems, so I can't test/work on AIX (that's one of the reasons I decided to CC ppc-aix-port-dev).
I overlooked 'struct FunctionDescriptor' presence. All headers look in place, so how about using FunctionDescritor instead of an array?
webrev v2:
http://cr.openjdk.java.net/~gromero/8221175/v2/
Cheers, Gustavo
Thanks for fixing!
Cheers, Thomas
On Fri, Mar 22, 2019 at 5:15 PM Gustavo Romero <gromero@linux.vnet.ibm.com <mailto:gromero@linux.vnet.ibm.com>> wrote:
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/ <http://cr.openjdk.java.net/%7Egromero/8221175/v1/>
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC- elf64abi.html#FUNC-DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
On 03/26/2019 04:15 AM, Lindenmaier, Goetz wrote:
Should I run it against submit tests before pushing? It's a change in shared code, but it can't affect other architectures. I think it's safe to be pushed.
Thank you. Pushed: http://hg.openjdk.java.net/jdk/jdk/rev/a2897fb258f1 Cheers, Gustavo
Hi Gustavo, thanks for fixing this, looks good. Best regards, Goetz.
-----Original Message----- From: Gustavo Romero <gromero@linux.vnet.ibm.com> Sent: Freitag, 22. März 2019 17:15 To: hotspot-runtime-dev@openjdk.java.net Cc: daniel.daugherty@oracle.com; Lindenmaier, Goetz <goetz.lindenmaier@sap.com>; ppc-aix-port-dev@openjdk.java.net Subject: RFR(S): 8221175: Fix bad function case for controlled JVM crash on PPC64 big-endian
Hi,
Please, could I get reviews for the following change?
bug : https://bugs.openjdk.java.net/browse/JDK-8221175 webrev: http://cr.openjdk.java.net/~gromero/8221175/v1/
It fixes the way a function pointer is defined in order to call a bad function at address 0xF (controlled crash case 13) on PPC64 big-endian machines.
On PPC64 big-endian compiler defaults to ABI ELFv1 which mandates function pointers to part of a function descriptor, at offset 0 [1].
Currently the SIGISEGV being generated by case 13 is incorrect because if a function descriptor is not use to call the bad function address the program segfaults before effectively calling the function, when trying to load the (bad) function pointer from offset 0 of base address 0xF, so before branching to the function.
It does not affect PPC64 little-endian machines because by default ABI ELFv2 is used (instead of ABI ELFv1) and for that ABI no function descriptor is defined / employed.
The fix consists in defining properly a function descriptor with a bad function at offset 0 (the following offset are no important in that case) and using that function descriptor to call the bad function, only on PPC64 big-endian machines.
That issue was found when investigating the JDK-8220794 issue [2].
Thank you.
Best regards, Gustavo
[1] http://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#FUNC- DES [2] https://bugs.openjdk.java.net/browse/JDK-8220794
participants (4)
-
Chris Phillips
-
Gustavo Romero
-
Lindenmaier, Goetz
-
Thomas Stüfe