RFR: JDK-8302595: use-after-free related to GraphKit::clone_map [v3]

[Tobias Hartmann]

On Wed, 15 Feb 2023 21:17:25 GMT, Justin King <jcking at openjdk.org> wrote:

>> `GraphKit::clone_map` duplicates `SafePointNode` and calls `Compile::record_for_igvn`. In some cases `SafePointNode` is not used so `Node::destruct` is called to cleanup. The `Unique_Node_List` returned by `Compile::for_igvn` still references the node which resides in freed memory which may or may not have been reused. We additionally need to remove the node from `Unique_Node_List` as well to prevent this from happening.
>> 
>> I introduced `GraphKit::destruct_map_clone` which undoes `GraphKit::clone_map`. It even clears the type, though I am not sure if this is necessary so feel free to suggest otherwise. Additionally it calls `delete` on `JVMState`, which is a noop, but it seems like the correct thing to do in case its ever changed.
>
> Justin King has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Do not call set_memory or set_jvms
>   
>   Signed-off-by: Justin King <jcking at google.com>

Looks good to me.

src/hotspot/share/opto/phaseX.hpp line 244:

> 242:   void    clear_type(const Node* n) {
> 243:     if (n->_idx < _types.Size())
> 244:       _types.map(n->_idx, NULL);

Suggestion:

    if (n->_idx < _types.Size()) {
      _types.map(n->_idx, NULL);
    }

-------------

Marked as reviewed by thartmann (Reviewer).

PR: https://git.openjdk.org/jdk/pull/12578