use-after-free in C2

dean.long at oracle.com dean.long at oracle.com
Thu Feb 9 21:41:17 UTC 2023 

Can ASan show where the memory was freed?  We've had crashes in the past 
(like JDK-8270028) that could be related to memory corruption or how 
ResourceArea recycles memory.  The allocation below seems to be using an 
Arena without a ResourceArea, but if some other code used the same arena 
wrapped in a ResourceArea, then it seems like that could lead to 
potential problems.

dl

On 2/9/23 8:59 AM, Justin King wrote:
> Hi,
>
> I was looking at instrumenting Arena again for ASan. The WIP patch is 
> 047d4aa9a091cf5a84b9308454862e39666ca253 
> <https://github.com/jcking/jdk/commit/047d4aa9a091cf5a84b9308454862e39666ca253>. 
> I ran back into the suspicious logic in C2 
> <https://bugs.openjdk.org/browse/JDK-8298984> where nodes are used 
> after calling Arena::Afree. The first issue is present in 
> Node::destruct, which I fixed by moving the call to Arena::Afree to 
> the bottom of the function (addressed in patch). The second issue 
> came up after in Compile::Compile, the stack trace is below. It looks 
> like there are residual freed nodes being operated on? Maybe we are 
> failing to unregister a temporary node from the node list? Maybe 
> related to clone_map which returns SafePointNode?
>
> ==3146540==ERROR: AddressSanitizer: use-after-poison on address 
> 0x62d00996b370 at pc 0x7f9f93048335 bp 0x7f9ed29fae20 sp 0x7f9ed29fae18
> READ of size 4 at 0x62d00996b370 thread T13
>     #0 0x7f9f93048334 in 
> Unique_Node_List::remove_useless_nodes(VectorSet&) 
> src/hotspot/share/opto/node.cpp:2967
>     #1 0x7f9f932124b3 in 
> PhaseRemoveUseless::PhaseRemoveUseless(PhaseGVN*, Unique_Node_List*, 
> Phase::PhaseNumber) src/hotspot/share/opto/phaseX.cpp:423
>     #2 0x7f9f91621beb in Compile::Compile(ciEnv*, ciMethod*, int, 
> Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:797
>     #3 0x7f9f912e37fe in C2Compiler::compile_method(ciEnv*, ciMethod*, 
> int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
>     #4 0x7f9f91638e07 in 
> CompileBroker::invoke_compiler_on_method(CompileTask*) 
> src/hotspot/share/compiler/compileBroker.cpp:2237
>     #5 0x7f9f9163bfd7 in CompileBroker::compiler_thread_loop() 
> src/hotspot/share/compiler/compileBroker.cpp:1916
>     #6 0x7f9f921e3eec in JavaThread::thread_main_inner() 
> src/hotspot/share/runtime/javaThread.cpp:710
>     #7 0x7f9f921e434f in JavaThread::thread_main_inner() 
> src/hotspot/share/runtime/javaThread.cpp:689
>     #8 0x7f9f921e434f in JavaThread::run() 
> src/hotspot/share/runtime/javaThread.cpp:695
>     #9 0x7f9f93aa3f55 in Thread::call_run() 
> src/hotspot/share/runtime/thread.cpp:224
>     #10 0x7f9f9310144f in thread_native_entry 
> src/hotspot/os/linux/os_linux.cpp:737
>     #11 0x7f9f960a7fd3 in start_thread nptl/pthread_create.c:442
>     #12 0x7f9f9612866b in clone3 
> ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
>
> 0x62d00996b370 is located 20336 bytes inside of 32744-byte region 
> [0x62d009966400,0x62d00996e3e8)
> allocated by thread T13 here:
>     #0 0x7f9f962b89cf in __interceptor_malloc 
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
>     #1 0x7f9f930e915a in os::malloc(unsigned long, MEMFLAGS, 
> NativeCallStack const&) src/hotspot/share/runtime/os.cpp:672
>     #2 0x7f9f90c8a08a in Chunk::operator new(unsigned long, 
> AllocFailStrategy::AllocFailEnum, unsigned long) 
> src/hotspot/share/memory/arena.cpp:190
>     #3 0x7f9f90c8a08a in Arena::grow(unsigned long, 
> AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.cpp:325
>     #4 0x7f9f932109f5 in Arena::internal_amalloc(unsigned long, 
> AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:113
>     #5 0x7f9f932109f5 in Arena::Amalloc(unsigned long, 
> AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:133
>     #6 0x7f9f932109f5 in NodeHash::NodeHash(Arena*, unsigned int) 
> src/hotspot/share/opto/phaseX.cpp:68
>     #7 0x7f9f932293c7 in PhaseValues::PhaseValues(Arena*, unsigned 
> int) src/hotspot/share/opto/phaseX.cpp:697
>     #8 0x7f9f9161f678 in PhaseGVN::PhaseGVN(Arena*, unsigned int) 
> src/hotspot/share/opto/phaseX.hpp:415
>     #9 0x7f9f9161f678 in Compile::Compile(ciEnv*, ciMethod*, int, 
> Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:714
>     #10 0x7f9f912e37fe in C2Compiler::compile_method(ciEnv*, 
> ciMethod*, int, bool, DirectiveSet*) 
> src/hotspot/share/opto/c2compiler.cpp:113
>     #11 0x7f9f91638e07 in 
> CompileBroker::invoke_compiler_on_method(CompileTask*) 
> src/hotspot/share/compiler/compileBroker.cpp:2237
>     #12 0x7f9f9163bfd7 in CompileBroker::compiler_thread_loop() 
> src/hotspot/share/compiler/compileBroker.cpp:1916
>     #13 0x7f9f921e3eec in JavaThread::thread_main_inner() 
> src/hotspot/share/runtime/javaThread.cpp:710
>     #14 0x7f9f921e434f in JavaThread::thread_main_inner() 
> src/hotspot/share/runtime/javaThread.cpp:689
>     #15 0x7f9f921e434f in JavaThread::run() 
> src/hotspot/share/runtime/javaThread.cpp:695
>     #16 0x7f9f93aa3f55 in Thread::call_run() 
> src/hotspot/share/runtime/thread.cpp:224
>     #17 0x7f9f9310144f in thread_native_entry 
> src/hotspot/os/linux/os_linux.cpp:737
>     #18 0x7f9f960a7fd3 in start_thread nptl/pthread_create.c:442
>
> Thread T13 created by T1 here:
>     #0 0x7f9f96249726 in __interceptor_pthread_create 
> ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
>     #1 0x7f9f93102d88 in os::create_thread(Thread*, os::ThreadType, 
> unsigned long) src/hotspot/os/linux/os_linux.cpp:888
>     #2 0x7f9f91693d93 in CompilerThread::CompilerThread(CompileQueue*, 
> CompilerCounters*) src/hotspot/share/compiler/compilerThread.cpp:34
>     #3 0x7f9f91625c7c in 
> CompileBroker::make_thread(CompileBroker::ThreadType, _jobject*, 
> CompileQueue*, AbstractCompiler*, JavaThread*) 
> src/hotspot/share/compiler/compileBroker.cpp:842
>     #4 0x7f9f91628f71 in CompileBroker::init_compiler_threads() 
> src/hotspot/share/compiler/compileBroker.cpp:943
>     #5 0x7f9f9162a464 in 
> CompileBroker::compilation_init_phase1(JavaThread*) 
> src/hotspot/share/compiler/compileBroker.cpp:654
>     #6 0x7f9f93adc3a4 in Threads::create_vm(JavaVMInitArgs*, bool*) 
> src/hotspot/share/runtime/threads.cpp:701
>     #7 0x7f9f92465b51 in JNI_CreateJavaVM_inner 
> src/hotspot/share/prims/jni.cpp:3588
>     #8 0x7f9f92465b51 in JNI_CreateJavaVM 
> src/hotspot/share/prims/jni.cpp:3674
>     #9 0x7f9f968d2e25 in InitializeJVM 
> src/java.base/share/native/libjli/java.c:1459
>     #10 0x7f9f968d2e25 in JavaMain 
> src/java.base/share/native/libjli/java.c:413
>     #11 0x7f9f968db708 in ThreadJavaMain 
> src/java.base/unix/native/libjli/java_md.c:650
>     #12 0x7f9f960a7fd3 in start_thread nptl/pthread_create.c:442
>
> Thread T1 created by T0 here:
>     #0 0x7f9f96249726 in __interceptor_pthread_create 
> ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
>     #1 0x7f9f968dd3a1 in CallJavaMainInNewThread 
> src/java.base/unix/native/libjli/java_md.c:691
>     #2 0x7f9f968d822d in ContinueInNewThread 
> src/java.base/share/native/libjli/java.c:2280
>     #3 0x7f9f968d96ae in JLI_Launch 
> src/java.base/share/native/libjli/java.c:340
>     #4 0x5594a81c337c in main 
> src/java.base/share/native/launcher/main.c:166
>     #5 0x7f9f96046189 in __libc_start_call_main 
> ../sysdeps/nptl/libc_start_call_main.h:58
>
> -- 
>
> Google Logo 	
> Justin King
> Software Engineer
> jcking at google.com
>
>
> 	
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/hotspot-compiler-dev/attachments/20230209/a06af498/attachment-0001.htm>

More information about the hotspot-compiler-dev mailing list