RFR: JDK-8302594: use-after-free in Node::destruct [v2]
Justin King
jcking at openjdk.org
Wed Feb 15 20:30:43 UTC 2023
On Wed, 15 Feb 2023 19:20:08 GMT, Vladimir Kozlov <kvn at openjdk.org> wrote:
>> Justin King has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update based on review
>>
>> Signed-off-by: Justin King <jcking at google.com>
>
> src/hotspot/share/opto/node.cpp line 625:
>
>> 623: char *edge_end = in_array + edge_size;
>> 624: char *out_array = (char*)(_out == NO_OUT_ARRAY? NULL: _out);
>> 625: int node_size = size_of();
>
> This code should be moved down too before lines which trash fields.
Moved to just below the ASSERT block that trashes fields.
> src/hotspot/share/opto/node.cpp line 655:
>
>> 653: _in = _out = (Node**) badAddress;
>> 654: _max = _cnt = _outmax = _outcnt = 0;
>> 655: compile->remove_modified_node(this);
>
> `remove_modified_node(this)` should be called before we trash node's fields.
Shouldn't remove_modified_node always be called, regardless of build type? Having it in an ASSERT block is wierd.
-------------
PR: https://git.openjdk.org/jdk/pull/12577
More information about the hotspot-compiler-dev
mailing list