RFR: JDK-8302594: use-after-free in Node::destruct [v2]
Vladimir Kozlov
kvn at openjdk.org
Wed Feb 15 20:30:37 UTC 2023
On Wed, 15 Feb 2023 19:56:18 GMT, Justin King <jcking at openjdk.org> wrote:
>> Instrumenting Arena for ASan revealed some `use-after-free` behavior in C2. One of them is in `Node::destruct`, where the storage for `Node` is free'd and then fields are accessed. Thankfully none of the methods called allocate, but they could in the future. To resolve this, we move the calls to `Afree` to the end of `Node::destruct`.
>
> Justin King has updated the pull request incrementally with one additional commit since the last revision:
>
> Update based on review
>
> Signed-off-by: Justin King <jcking at google.com>
src/hotspot/share/opto/node.cpp line 625:
> 623: char *edge_end = in_array + edge_size;
> 624: char *out_array = (char*)(_out == NO_OUT_ARRAY? NULL: _out);
> 625: int node_size = size_of();
This code should be moved down too before lines which trash fields.
src/hotspot/share/opto/node.cpp line 655:
> 653: _in = _out = (Node**) badAddress;
> 654: _max = _cnt = _outmax = _outcnt = 0;
> 655: compile->remove_modified_node(this);
`remove_modified_node(this)` should be called before we trash node's fields.
src/hotspot/share/opto/node.cpp line 668:
> 666: #ifndef ASSERT
> 667: compile->node_arena()->Afree(in_array, edge_size+node_size);
> 668: #endif
Why we do it only in product VM? I need to look.
-------------
PR: https://git.openjdk.org/jdk/pull/12577
More information about the hotspot-compiler-dev
mailing list