RFR: JDK-8298908: Instrument Metaspace for ASan [v6]

Thomas Stuefe stuefe at openjdk.org
Mon Jan 9 08:10:57 UTC 2023 

On Thu, 5 Jan 2023 16:29:13 GMT, Justin King <jcking at openjdk.org> wrote:

>> This change instruments Metaspace for ASan. Metaspace allocates memory using `mmap`/`munmap` which ASan is not aware of. Fortunately ASan supports applications [manually poisoning/unpoisoning memory](https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning). ASan is able to detect poisoned memory, similar to `use-after-free`, and will raise an error similarly called `use-after-poison`. This provides and extra layer of defense and confidence.
>> 
>> The header `sanitizers/address.h` defines macros for poisoning/unpoisoning memory regions. These macros can be used regardless of build mode. When ASan is not available, they are implemented using a NOOP approach which still compiles the arguments but does so such that they will be stripped out by the compiler due to being unreachable. This helps with maintenance.
>> 
>> This also has the added benefit of making [LSan](https://bugs.openjdk.org/browse/JDK-8298445) more accurate and deterministic, as LSan will not look for pointers to malloc memory in poisoned memory regions.
>> 
>> IMO the benefit of doing this greatly outweighs the cost.
>
> Justin King has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Use -fno-common as suggested by ASan docs
>   
>   Signed-off-by: Justin King <jcking at google.com>

Metaspace changes mostly good. Do the gtests pass? Especially the Metaspace fence tests? You need to execute them via the jtreg wrapper (test/hotspot/jtreg/gtest) - these wrappers execute the googletest suite with a number of different settings, among others also metaspace fences enabled.

src/hotspot/share/memory/metaspace/chunkManager.cpp line 137:

> 135: // - Or, if the necessary space cannot be committed because we hit a commit limit.
> 136: //   This may be either the GC threshold or MaxMetaspaceSize.
> 137: Metachunk* ChunkManager::get_chunk_locked(chunklevel_t preferred_level, chunklevel_t max_level, size_t min_committed_words) {

Please add `assert_lock_strong(Metaspace_lock);`

src/hotspot/share/memory/metaspace/chunkManager.cpp line 247:

> 245: //    this function returns !!
> 246: void ChunkManager::return_chunk(Metachunk* c) {
> 247:   ASAN_POISON_MEMORY_REGION(c->base(), c->word_size() * BytesPerWord);

Please add comment:

// It is valid to poison the chunk payload area at this point since its physically separated from the chunk meta info.

src/hotspot/share/memory/metaspace/virtualSpaceNode.cpp line 239:

> 237:   assert_is_aligned(_word_size, chunklevel::MAX_CHUNK_WORD_SIZE);
> 238: 
> 239:   // Poison the memory region. It will be unpoisoned later by MetaspaceArena.

Can you be a bit more specific? Proposal:
"It will be unpoisened on a per-chunk base for chunks that are handed to arenas."

src/hotspot/share/runtime/os.cpp line 951:

> 949: NO_SANITIZE_ADDRESS void os::print_hex_dump(outputStream* st, address start, address end,
> 950:                                             int unitsize, int bytes_per_line,
> 951:                                             address logical_start) {

Out of scope for this bug; can this be moved to a different RFE? 

While looking at this, I found that os::print_hex_dump has a little error. It is not supposed to access memory directly but only via SafeFetch (in order to print '?' for unreadable locations). SafeFetch would be the natural point for asan exclusion. I filed a bug for this: https://bugs.openjdk.org/browse/JDK-8299790

-------------

PR: https://git.openjdk.org/jdk/pull/11702

More information about the build-dev mailing list