use-after-free in C2

Justin King jcking at google.com
Thu Feb 9 16:59:17 UTC 2023 

Hi,

I was looking at instrumenting Arena again for ASan. The WIP patch is
047d4aa9a091cf5a84b9308454862e39666ca253
<https://github.com/jcking/jdk/commit/047d4aa9a091cf5a84b9308454862e39666ca253>.
I ran back into the suspicious logic in C2
<https://bugs.openjdk.org/browse/JDK-8298984> where nodes are used after
calling Arena::Afree. The first issue is present in Node::destruct, which I
fixed by moving the call to Arena::Afree to the bottom of the function
(addressed in patch). The second issue came up after in Compile::Compile,
the stack trace is below. It looks like there are residual freed nodes
being operated on? Maybe we are failing to unregister a temporary node from
the node list? Maybe related to clone_map which returns SafePointNode?

==3146540==ERROR: AddressSanitizer: use-after-poison on address
0x62d00996b370 at pc 0x7f9f93048335 bp 0x7f9ed29fae20 sp 0x7f9ed29fae18
READ of size 4 at 0x62d00996b370 thread T13
    #0 0x7f9f93048334 in Unique_Node_List::remove_useless_nodes(VectorSet&)
src/hotspot/share/opto/node.cpp:2967
    #1 0x7f9f932124b3 in PhaseRemoveUseless::PhaseRemoveUseless(PhaseGVN*,
Unique_Node_List*, Phase::PhaseNumber) src/hotspot/share/opto/phaseX.cpp:423
    #2 0x7f9f91621beb in Compile::Compile(ciEnv*, ciMethod*, int, Options,
DirectiveSet*) src/hotspot/share/opto/compile.cpp:797
    #3 0x7f9f912e37fe in C2Compiler::compile_method(ciEnv*, ciMethod*, int,
bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
    #4 0x7f9f91638e07 in
CompileBroker::invoke_compiler_on_method(CompileTask*)
src/hotspot/share/compiler/compileBroker.cpp:2237
    #5 0x7f9f9163bfd7 in CompileBroker::compiler_thread_loop()
src/hotspot/share/compiler/compileBroker.cpp:1916
    #6 0x7f9f921e3eec in JavaThread::thread_main_inner()
src/hotspot/share/runtime/javaThread.cpp:710
    #7 0x7f9f921e434f in JavaThread::thread_main_inner()
src/hotspot/share/runtime/javaThread.cpp:689
    #8 0x7f9f921e434f in JavaThread::run()
src/hotspot/share/runtime/javaThread.cpp:695
    #9 0x7f9f93aa3f55 in Thread::call_run()
src/hotspot/share/runtime/thread.cpp:224
    #10 0x7f9f9310144f in thread_native_entry
src/hotspot/os/linux/os_linux.cpp:737
    #11 0x7f9f960a7fd3 in start_thread nptl/pthread_create.c:442
    #12 0x7f9f9612866b in clone3
../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62d00996b370 is located 20336 bytes inside of 32744-byte region
[0x62d009966400,0x62d00996e3e8)
allocated by thread T13 here:
    #0 0x7f9f962b89cf in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f9f930e915a in os::malloc(unsigned long, MEMFLAGS,
NativeCallStack const&) src/hotspot/share/runtime/os.cpp:672
    #2 0x7f9f90c8a08a in Chunk::operator new(unsigned long,
AllocFailStrategy::AllocFailEnum, unsigned long)
src/hotspot/share/memory/arena.cpp:190
    #3 0x7f9f90c8a08a in Arena::grow(unsigned long,
AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.cpp:325
    #4 0x7f9f932109f5 in Arena::internal_amalloc(unsigned long,
AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:113
    #5 0x7f9f932109f5 in Arena::Amalloc(unsigned long,
AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:133
    #6 0x7f9f932109f5 in NodeHash::NodeHash(Arena*, unsigned int)
src/hotspot/share/opto/phaseX.cpp:68
    #7 0x7f9f932293c7 in PhaseValues::PhaseValues(Arena*, unsigned int)
src/hotspot/share/opto/phaseX.cpp:697
    #8 0x7f9f9161f678 in PhaseGVN::PhaseGVN(Arena*, unsigned int)
src/hotspot/share/opto/phaseX.hpp:415
    #9 0x7f9f9161f678 in Compile::Compile(ciEnv*, ciMethod*, int, Options,
DirectiveSet*) src/hotspot/share/opto/compile.cpp:714
    #10 0x7f9f912e37fe in C2Compiler::compile_method(ciEnv*, ciMethod*,
int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
    #11 0x7f9f91638e07 in
CompileBroker::invoke_compiler_on_method(CompileTask*)
src/hotspot/share/compiler/compileBroker.cpp:2237
    #12 0x7f9f9163bfd7 in CompileBroker::compiler_thread_loop()
src/hotspot/share/compiler/compileBroker.cpp:1916
    #13 0x7f9f921e3eec in JavaThread::thread_main_inner()
src/hotspot/share/runtime/javaThread.cpp:710
    #14 0x7f9f921e434f in JavaThread::thread_main_inner()
src/hotspot/share/runtime/javaThread.cpp:689
    #15 0x7f9f921e434f in JavaThread::run()
src/hotspot/share/runtime/javaThread.cpp:695
    #16 0x7f9f93aa3f55 in Thread::call_run()
src/hotspot/share/runtime/thread.cpp:224
    #17 0x7f9f9310144f in thread_native_entry
src/hotspot/os/linux/os_linux.cpp:737
    #18 0x7f9f960a7fd3 in start_thread nptl/pthread_create.c:442

Thread T13 created by T1 here:
    #0 0x7f9f96249726 in __interceptor_pthread_create
../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
    #1 0x7f9f93102d88 in os::create_thread(Thread*, os::ThreadType,
unsigned long) src/hotspot/os/linux/os_linux.cpp:888
    #2 0x7f9f91693d93 in CompilerThread::CompilerThread(CompileQueue*,
CompilerCounters*) src/hotspot/share/compiler/compilerThread.cpp:34
    #3 0x7f9f91625c7c in
CompileBroker::make_thread(CompileBroker::ThreadType, _jobject*,
CompileQueue*, AbstractCompiler*, JavaThread*)
src/hotspot/share/compiler/compileBroker.cpp:842
    #4 0x7f9f91628f71 in CompileBroker::init_compiler_threads()
src/hotspot/share/compiler/compileBroker.cpp:943
    #5 0x7f9f9162a464 in
CompileBroker::compilation_init_phase1(JavaThread*)
src/hotspot/share/compiler/compileBroker.cpp:654
    #6 0x7f9f93adc3a4 in Threads::create_vm(JavaVMInitArgs*, bool*)
src/hotspot/share/runtime/threads.cpp:701
    #7 0x7f9f92465b51 in JNI_CreateJavaVM_inner
src/hotspot/share/prims/jni.cpp:3588
    #8 0x7f9f92465b51 in JNI_CreateJavaVM
src/hotspot/share/prims/jni.cpp:3674
    #9 0x7f9f968d2e25 in InitializeJVM
src/java.base/share/native/libjli/java.c:1459
    #10 0x7f9f968d2e25 in JavaMain
src/java.base/share/native/libjli/java.c:413
    #11 0x7f9f968db708 in ThreadJavaMain
src/java.base/unix/native/libjli/java_md.c:650
    #12 0x7f9f960a7fd3 in start_thread nptl/pthread_create.c:442

Thread T1 created by T0 here:
    #0 0x7f9f96249726 in __interceptor_pthread_create
../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
    #1 0x7f9f968dd3a1 in CallJavaMainInNewThread
src/java.base/unix/native/libjli/java_md.c:691
    #2 0x7f9f968d822d in ContinueInNewThread
src/java.base/share/native/libjli/java.c:2280
    #3 0x7f9f968d96ae in JLI_Launch
src/java.base/share/native/libjli/java.c:340
    #4 0x5594a81c337c in main src/java.base/share/native/launcher/main.c:166
    #5 0x7f9f96046189 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58

-- 

[image: Google Logo]
Justin King
Software Engineer
jcking at google.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/hotspot-compiler-dev/attachments/20230209/f7d24c79/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3999 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.openjdk.org/pipermail/hotspot-compiler-dev/attachments/20230209/f7d24c79/smime.p7s>

More information about the hotspot-compiler-dev mailing list