[External] : Re: use-after-free in C2
dean.long at oracle.com
dean.long at oracle.com
Mon Feb 13 22:00:26 UTC 2023
That's strange. Doesn't Arena::grow() allocate a chunk of size
Chunk::size (~32K) or larger?
dl
On 2/10/23 12:42 PM, Justin King wrote:
> Hm. That size is still too big, I don't think the node is 224 bytes.
> Let me double check again.
>
> On Fri, Feb 10, 2023 at 12:06 PM Justin King <jcking at google.com> wrote:
>
> Looks to be the temporary node created by clone_map is leaking. I
> think there is a missing call to undo some of the work done by
> clone_map.
>
> ==3591618==ERROR: AddressSanitizer: use-after-poison on address
> 0x6110000e20b8 at pc 0x7f7d8cac1875 bp 0x7f7d1028be20 sp
> 0x7f7d1028be18
> READ of size 4 at 0x6110000e20b8 thread T13
> #0 0x7f7d8cac1874 in
> Unique_Node_List::remove_useless_nodes(VectorSet&)
> src/hotspot/share/opto/node.cpp:2967
> #1 0x7f7d8cc90b03 in
> PhaseRemoveUseless::PhaseRemoveUseless(PhaseGVN*,
> Unique_Node_List*, Phase::PhaseNumber)
> src/hotspot/share/opto/phaseX.cpp:423
> #2 0x7f7d8b03853b in Compile::Compile(ciEnv*, ciMethod*, int,
> Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:797
> #3 0x7f7d8ace8ece in C2Compiler::compile_method(ciEnv*,
> ciMethod*, int, bool, DirectiveSet*)
> src/hotspot/share/opto/c2compiler.cpp:113
> #4 0x7f7d8b0507f8 in
> CompileBroker::invoke_compiler_on_method(CompileTask*)
> src/hotspot/share/compiler/compileBroker.cpp:2237
> #5 0x7f7d8b053e57 in CompileBroker::compiler_thread_loop()
> src/hotspot/share/compiler/compileBroker.cpp:1916
> #6 0x7f7d8bc1f3a8 in JavaThread::thread_main_inner()
> src/hotspot/share/runtime/javaThread.cpp:710
> #7 0x7f7d8bc1f99f in JavaThread::thread_main_inner()
> src/hotspot/share/runtime/javaThread.cpp:689
> #8 0x7f7d8bc1f99f in JavaThread::run()
> src/hotspot/share/runtime/javaThread.cpp:695
> #9 0x7f7d8d535b35 in Thread::call_run()
> src/hotspot/share/runtime/thread.cpp:224
> #10 0x7f7d8cb7de8f in thread_native_entry
> src/hotspot/os/linux/os_linux.cpp:737
> #11 0x7f7d8faa7fd3 in start_thread nptl/pthread_create.c:442
> #12 0x7f7d8fb2866b in clone3
> ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
>
> 0x6110000e20b8 is located 56 bytes inside of 224-byte region
> [0x6110000e2080,0x6110000e2160)
> allocated by thread T13 here:
> #0 0x7f7d8fcb89cf in __interceptor_malloc
> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
> #1 0x7f7d8cb65b9a in os::malloc(unsigned long, MEMFLAGS,
> NativeCallStack const&) src/hotspot/share/runtime/os.cpp:672
> #2 0x7f7d8a68c47e in Chunk::operator new(unsigned long,
> AllocFailStrategy::AllocFailEnum, unsigned long)
> src/hotspot/share/memory/arena.cpp:190
> #3 0x7f7d8a68c47e in Arena::grow(unsigned long,
> AllocFailStrategy::AllocFailEnum)
> src/hotspot/share/memory/arena.cpp:345
> #4 0x7f7d8cac1c44 in Arena::internal_amalloc(unsigned long,
> AllocFailStrategy::AllocFailEnum)
> src/hotspot/share/memory/arena.hpp:113
> #5 0x7f7d8cac1c44 in Arena::AmallocWords(unsigned long,
> AllocFailStrategy::AllocFailEnum)
> src/hotspot/share/memory/arena.hpp:140
> #6 0x7f7d8cac1c44 in Node::clone() const
> src/hotspot/share/opto/node.cpp:495
> #7 0x7f7d8b980c38 in GraphKit::clone_map()
> src/hotspot/share/opto/graphKit.cpp:727
> #8 0x7f7d8c538b44 in
> LibraryCallKit::inline_unsafe_load_store(BasicType,
> LibraryCallKit::LoadStoreKind, LibraryCallKit::AccessKind)
> src/hotspot/share/opto/library_call.cpp:2599
> #9 0x7f7d8c5aad3e in LibraryCallKit::try_to_inline(int)
> src/hotspot/share/opto/library_call.cpp:416
> #10 0x7f7d8c5ae34b in LibraryIntrinsic::generate(JVMState*)
> src/hotspot/share/opto/library_call.cpp:116
> #11 0x7f7d8b4430e9 in Parse::do_call()
> src/hotspot/share/opto/doCall.cpp:662
> #12 0x7f7d8cc4c1ef in Parse::do_one_bytecode()
> src/hotspot/share/opto/parse2.cpp:2704
> #13 0x7f7d8cc1f3f6 in Parse::do_one_block()
> src/hotspot/share/opto/parse1.cpp:1554
> #14 0x7f7d8cc207ce in Parse::do_all_blocks()
> src/hotspot/share/opto/parse1.cpp:706
> #15 0x7f7d8cc2a214 in Parse::Parse(JVMState*, ciMethod*,
> float) src/hotspot/share/opto/parse1.cpp:613
> #16 0x7f7d8acec235 in ParseGenerator::generate(JVMState*)
> src/hotspot/share/opto/callGenerator.cpp:99
> #17 0x7f7d8b03738c in Compile::Compile(ciEnv*, ciMethod*, int,
> Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:763
> #18 0x7f7d8ace8ece in C2Compiler::compile_method(ciEnv*,
> ciMethod*, int, bool, DirectiveSet*)
> src/hotspot/share/opto/c2compiler.cpp:113
> #19 0x7f7d8b0507f8 in
> CompileBroker::invoke_compiler_on_method(CompileTask*)
> src/hotspot/share/compiler/compileBroker.cpp:2237
> #20 0x7f7d8b053e57 in CompileBroker::compiler_thread_loop()
> src/hotspot/share/compiler/compileBroker.cpp:1916
> #21 0x7f7d8bc1f3a8 in JavaThread::thread_main_inner()
> src/hotspot/share/runtime/javaThread.cpp:710
> #22 0x7f7d8bc1f99f in JavaThread::thread_main_inner()
> src/hotspot/share/runtime/javaThread.cpp:689
> #23 0x7f7d8bc1f99f in JavaThread::run()
> src/hotspot/share/runtime/javaThread.cpp:695
> #24 0x7f7d8d535b35 in Thread::call_run()
> src/hotspot/share/runtime/thread.cpp:224
> #25 0x7f7d8cb7de8f in thread_native_entry
> src/hotspot/os/linux/os_linux.cpp:737
> #26 0x7f7d8faa7fd3 in start_thread nptl/pthread_create.c:442
>
>
>
> On Thu, Feb 9, 2023 at 2:31 PM Justin King <jcking at google.com> wrote:
>
> Hm. It unfortunately does not show where it was poisoned, as
> the Arena uses large chunks with multiple separate allocations
> per chunk. ASan only keeps track of malloc/free. But if I
> change the Arena implementation when building under ASan to
> just use a right-sized chunk for each request, it should be
> able to show us. I'll try that and bump this once I get
> something more definitive.
>
> On Thu, Feb 9, 2023 at 1:41 PM <dean.long at oracle.com> wrote:
>
> Can ASan show where the memory was freed? We've had
> crashes in the past (like JDK-8270028) that could be
> related to memory corruption or how ResourceArea recycles
> memory. The allocation below seems to be using an Arena
> without a ResourceArea, but if some other code used the
> same arena wrapped in a ResourceArea, then it seems like
> that could lead to potential problems.
>
> dl
>
> On 2/9/23 8:59 AM, Justin King wrote:
>> Hi,
>>
>> I was looking at instrumenting Arena again for ASan.
>> The WIP patch is 047d4aa9a091cf5a84b9308454862e39666ca253
>> <https://github.com/jcking/jdk/commit/047d4aa9a091cf5a84b9308454862e39666ca253>.
>> I ran back into the suspicious logic in C2
>> <https://bugs.openjdk.org/browse/JDK-8298984> where nodes
>> are used after calling Arena::Afree. The first issue is
>> present in Node::destruct, which I fixed by moving the
>> call to Arena::Afree to the bottom of the function
>> (addressed in patch). The second issue came up after in
>> Compile::Compile, the stack trace is below. It looks like
>> there are residual freed nodes being operated on? Maybe
>> we are failing to unregister a temporary node from the
>> node list? Maybe related to clone_map which returns
>> SafePointNode?
>>
>> ==3146540==ERROR: AddressSanitizer: use-after-poison on
>> address 0x62d00996b370 at pc 0x7f9f93048335 bp
>> 0x7f9ed29fae20 sp 0x7f9ed29fae18
>> READ of size 4 at 0x62d00996b370 thread T13
>> #0 0x7f9f93048334 in
>> Unique_Node_List::remove_useless_nodes(VectorSet&)
>> src/hotspot/share/opto/node.cpp:2967
>> #1 0x7f9f932124b3 in
>> PhaseRemoveUseless::PhaseRemoveUseless(PhaseGVN*,
>> Unique_Node_List*, Phase::PhaseNumber)
>> src/hotspot/share/opto/phaseX.cpp:423
>> #2 0x7f9f91621beb in Compile::Compile(ciEnv*,
>> ciMethod*, int, Options, DirectiveSet*)
>> src/hotspot/share/opto/compile.cpp:797
>> #3 0x7f9f912e37fe in
>> C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool,
>> DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
>> #4 0x7f9f91638e07 in
>> CompileBroker::invoke_compiler_on_method(CompileTask*)
>> src/hotspot/share/compiler/compileBroker.cpp:2237
>> #5 0x7f9f9163bfd7 in
>> CompileBroker::compiler_thread_loop()
>> src/hotspot/share/compiler/compileBroker.cpp:1916
>> #6 0x7f9f921e3eec in JavaThread::thread_main_inner()
>> src/hotspot/share/runtime/javaThread.cpp:710
>> #7 0x7f9f921e434f in JavaThread::thread_main_inner()
>> src/hotspot/share/runtime/javaThread.cpp:689
>> #8 0x7f9f921e434f in JavaThread::run()
>> src/hotspot/share/runtime/javaThread.cpp:695
>> #9 0x7f9f93aa3f55 in Thread::call_run()
>> src/hotspot/share/runtime/thread.cpp:224
>> #10 0x7f9f9310144f in thread_native_entry
>> src/hotspot/os/linux/os_linux.cpp:737
>> #11 0x7f9f960a7fd3 in start_thread
>> nptl/pthread_create.c:442
>> #12 0x7f9f9612866b in clone3
>> ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
>>
>> 0x62d00996b370 is located 20336 bytes inside of
>> 32744-byte region [0x62d009966400,0x62d00996e3e8)
>> allocated by thread T13 here:
>> #0 0x7f9f962b89cf in __interceptor_malloc
>> ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
>> #1 0x7f9f930e915a in os::malloc(unsigned long,
>> MEMFLAGS, NativeCallStack const&)
>> src/hotspot/share/runtime/os.cpp:672
>> #2 0x7f9f90c8a08a in Chunk::operator new(unsigned
>> long, AllocFailStrategy::AllocFailEnum, unsigned long)
>> src/hotspot/share/memory/arena.cpp:190
>> #3 0x7f9f90c8a08a in Arena::grow(unsigned long,
>> AllocFailStrategy::AllocFailEnum)
>> src/hotspot/share/memory/arena.cpp:325
>> #4 0x7f9f932109f5 in Arena::internal_amalloc(unsigned
>> long, AllocFailStrategy::AllocFailEnum)
>> src/hotspot/share/memory/arena.hpp:113
>> #5 0x7f9f932109f5 in Arena::Amalloc(unsigned long,
>> AllocFailStrategy::AllocFailEnum)
>> src/hotspot/share/memory/arena.hpp:133
>> #6 0x7f9f932109f5 in NodeHash::NodeHash(Arena*,
>> unsigned int) src/hotspot/share/opto/phaseX.cpp:68
>> #7 0x7f9f932293c7 in PhaseValues::PhaseValues(Arena*,
>> unsigned int) src/hotspot/share/opto/phaseX.cpp:697
>> #8 0x7f9f9161f678 in PhaseGVN::PhaseGVN(Arena*,
>> unsigned int) src/hotspot/share/opto/phaseX.hpp:415
>> #9 0x7f9f9161f678 in Compile::Compile(ciEnv*,
>> ciMethod*, int, Options, DirectiveSet*)
>> src/hotspot/share/opto/compile.cpp:714
>> #10 0x7f9f912e37fe in
>> C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool,
>> DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
>> #11 0x7f9f91638e07 in
>> CompileBroker::invoke_compiler_on_method(CompileTask*)
>> src/hotspot/share/compiler/compileBroker.cpp:2237
>> #12 0x7f9f9163bfd7 in
>> CompileBroker::compiler_thread_loop()
>> src/hotspot/share/compiler/compileBroker.cpp:1916
>> #13 0x7f9f921e3eec in JavaThread::thread_main_inner()
>> src/hotspot/share/runtime/javaThread.cpp:710
>> #14 0x7f9f921e434f in JavaThread::thread_main_inner()
>> src/hotspot/share/runtime/javaThread.cpp:689
>> #15 0x7f9f921e434f in JavaThread::run()
>> src/hotspot/share/runtime/javaThread.cpp:695
>> #16 0x7f9f93aa3f55 in Thread::call_run()
>> src/hotspot/share/runtime/thread.cpp:224
>> #17 0x7f9f9310144f in thread_native_entry
>> src/hotspot/os/linux/os_linux.cpp:737
>> #18 0x7f9f960a7fd3 in start_thread
>> nptl/pthread_create.c:442
>>
>> Thread T13 created by T1 here:
>> #0 0x7f9f96249726 in __interceptor_pthread_create
>> ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
>> #1 0x7f9f93102d88 in os::create_thread(Thread*,
>> os::ThreadType, unsigned long)
>> src/hotspot/os/linux/os_linux.cpp:888
>> #2 0x7f9f91693d93 in
>> CompilerThread::CompilerThread(CompileQueue*,
>> CompilerCounters*)
>> src/hotspot/share/compiler/compilerThread.cpp:34
>> #3 0x7f9f91625c7c in
>> CompileBroker::make_thread(CompileBroker::ThreadType,
>> _jobject*, CompileQueue*, AbstractCompiler*, JavaThread*)
>> src/hotspot/share/compiler/compileBroker.cpp:842
>> #4 0x7f9f91628f71 in
>> CompileBroker::init_compiler_threads()
>> src/hotspot/share/compiler/compileBroker.cpp:943
>> #5 0x7f9f9162a464 in
>> CompileBroker::compilation_init_phase1(JavaThread*)
>> src/hotspot/share/compiler/compileBroker.cpp:654
>> #6 0x7f9f93adc3a4 in
>> Threads::create_vm(JavaVMInitArgs*, bool*)
>> src/hotspot/share/runtime/threads.cpp:701
>> #7 0x7f9f92465b51 in JNI_CreateJavaVM_inner
>> src/hotspot/share/prims/jni.cpp:3588
>> #8 0x7f9f92465b51 in JNI_CreateJavaVM
>> src/hotspot/share/prims/jni.cpp:3674
>> #9 0x7f9f968d2e25 in InitializeJVM
>> src/java.base/share/native/libjli/java.c:1459
>> #10 0x7f9f968d2e25 in JavaMain
>> src/java.base/share/native/libjli/java.c:413
>> #11 0x7f9f968db708 in ThreadJavaMain
>> src/java.base/unix/native/libjli/java_md.c:650
>> #12 0x7f9f960a7fd3 in start_thread
>> nptl/pthread_create.c:442
>>
>> Thread T1 created by T0 here:
>> #0 0x7f9f96249726 in __interceptor_pthread_create
>> ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
>> #1 0x7f9f968dd3a1 in CallJavaMainInNewThread
>> src/java.base/unix/native/libjli/java_md.c:691
>> #2 0x7f9f968d822d in ContinueInNewThread
>> src/java.base/share/native/libjli/java.c:2280
>> #3 0x7f9f968d96ae in JLI_Launch
>> src/java.base/share/native/libjli/java.c:340
>> #4 0x5594a81c337c in main
>> src/java.base/share/native/launcher/main.c:166
>> #5 0x7f9f96046189 in __libc_start_call_main
>> ../sysdeps/nptl/libc_start_call_main.h:58
>>
>> --
>>
>> Google Logo
>> Justin King
>> Software Engineer
>> jcking at google.com
>>
>>
>>
>>
>
>
> --
>
> Google Logo
> Justin King
> Software Engineer
> jcking at google.com
>
>
>
>
>
>
> --
>
> Google Logo
> Justin King
> Software Engineer
> jcking at google.com
>
>
>
>
>
>
> --
>
> Google Logo
> Justin King
> Software Engineer
> jcking at google.com
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/hotspot-compiler-dev/attachments/20230213/2fe25b0b/attachment-0001.htm>
More information about the hotspot-compiler-dev
mailing list