RFR: JDK-8302595: use-after-free related to GraphKit::clone_map [v4]
Justin King
jcking at openjdk.org
Thu Feb 16 13:57:01 UTC 2023
> `GraphKit::clone_map` duplicates `SafePointNode` and calls `Compile::record_for_igvn`. In some cases `SafePointNode` is not used so `Node::destruct` is called to cleanup. The `Unique_Node_List` returned by `Compile::for_igvn` still references the node which resides in freed memory which may or may not have been reused. We additionally need to remove the node from `Unique_Node_List` as well to prevent this from happening.
>
> I introduced `GraphKit::destruct_map_clone` which undoes `GraphKit::clone_map`. It even clears the type, though I am not sure if this is necessary so feel free to suggest otherwise. Additionally it calls `delete` on `JVMState`, which is a noop, but it seems like the correct thing to do in case its ever changed.
Justin King has updated the pull request incrementally with one additional commit since the last revision:
Update src/hotspot/share/opto/phaseX.hpp
Co-authored-by: Tobias Hartmann <tobias.hartmann at oracle.com>
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/12578/files
- new: https://git.openjdk.org/jdk/pull/12578/files/3385ae23..8003f7af
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=12578&range=03
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=12578&range=02-03
Stats: 2 lines in 1 file changed: 1 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/jdk/pull/12578.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/12578/head:pull/12578
PR: https://git.openjdk.org/jdk/pull/12578
More information about the hotspot-compiler-dev
mailing list