Integrated: JDK-8302595: use-after-free related to GraphKit::clone_map

[Justin King]

On Wed, 15 Feb 2023 17:02:34 GMT, Justin King <jcking at openjdk.org> wrote:

> `GraphKit::clone_map` duplicates `SafePointNode` and calls `Compile::record_for_igvn`. In some cases `SafePointNode` is not used so `Node::destruct` is called to cleanup. The `Unique_Node_List` returned by `Compile::for_igvn` still references the node which resides in freed memory which may or may not have been reused. We additionally need to remove the node from `Unique_Node_List` as well to prevent this from happening.
> 
> I introduced `GraphKit::destruct_map_clone` which undoes `GraphKit::clone_map`. It even clears the type, though I am not sure if this is necessary so feel free to suggest otherwise. Additionally it calls `delete` on `JVMState`, which is a noop, but it seems like the correct thing to do in case its ever changed.

This pull request has now been integrated.

Changeset: 3cc459b6
Author:    Justin King <jcking at openjdk.org>
Committer: Tobias Hartmann <thartmann at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/3cc459b6c2f571987dc36fd548a2b830f0b33a0a
Stats:     47 lines in 7 files changed: 40 ins; 0 del; 7 mod

8302595: use-after-free related to GraphKit::clone_map

Reviewed-by: kvn, thartmann

-------------

PR: https://git.openjdk.org/jdk/pull/12578