RFR: 8372493: [asan] java/foreign/sharedclosejvmti/TestSharedCloseJvmti.java triggers heap-use-after-free
Jorn Vernee
jvernee at openjdk.org
Wed Dec 17 13:55:10 UTC 2025
On Tue, 16 Dec 2025 20:21:59 GMT, Chen Liang <liach at openjdk.org> wrote:
>> ASAN correctly detected a use-after-free in this test.
>>
>> The issue is that an async `ScopedAccessError` is thrown while executing java code as part of a JVMTI callback. This exception is meant to unwind out of a scoped memory access, to prevent access to memory that has already been freed. But, currently the native agent code is printing and clearing the exception, which doesn't prevent the memory access from occurring, leading to a use-after-free.
>>
>> Ideally, the agent should propagate the exception to the place in the Java code where the JVMTI event happens, but it is not possible to exit the callback with a pending exception, and AFAICT there is no JVMTI API for propagating async exceptions that are thrown during a JVMTI callback. So, the only sane thing the test can do is exit the process, which is what I've implemented here.
>>
>> This fixes the test, but it leaves the larger question of how JVMTI agents should deal with async exceptions unresolved.
>
> test/jdk/java/foreign/sharedclosejvmti/libSharedCloseAgent.cpp line 109:
>
>> 107: jni_env->ExceptionDescribe();
>> 108: if (jni_env->IsInstanceOf(ex, EXCEPTION_CLS)) {
>> 109: exit(0); // success
>
> Just curious, does this just terminate the agent? If this terminates the JVM, how is the checked string printed:
>
> output.stderrShouldContain("Exception in thread "Trigger" jdk.internal.misc.ScopedMemoryAccess$ScopedAccessError: Invalid memory access");
It terminates the VM. That string is printed by `ExceptionDescribe()`
> test/jdk/java/foreign/sharedclosejvmti/libSharedCloseAgent.cpp line 115:
>
>> 113: }
>> 114:
>> 115: jvmti_env->Deallocate((unsigned char*) method_name);
>
> We can move the 2 Deallocate to right above CallStaticVoidMethod.
Cleaned this code up a bit. We just need one call to `Deallocate` for each string.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28853#discussion_r2624641725
PR Review Comment: https://git.openjdk.org/jdk/pull/28853#discussion_r2624662418
More information about the core-libs-dev
mailing list