RFR: 8336095: Use-after-free in Superword leads to memory corruption
Tobias Hartmann
thartmann at openjdk.org
Wed Jul 24 05:23:31 UTC 2024
On Tue, 23 Jul 2024 14:46:30 GMT, Richard Reingruber <rrich at openjdk.org> wrote:
>> [JDK-8333684](https://bugs.openjdk.org/browse/JDK-8333684) refactored code in Superword and moved a [ResourceMark](https://github.com/openjdk/jdk/blob/46c37686454321011541499a79c776f774ff2b57/src/hotspot/share/opto/superword.cpp#L1999) such that a re-allocation of the `Node_List` `IdealLoopTree::_body` now happens within a nested ResourceMark. `IdealLoopTree::_body` is still live and used once we leave the scope of that ResourceMark, leading to a use-after-free bug causing memory corruption (for details, see JBS):
>>
>>
>> V [libjvm.so+0x13068b6] Node_Array::grow(unsigned int)+0x5e (node.cpp:2776)
>> V [libjvm.so+0x51e4ec] Node_Array::map(unsigned int, Node*)+0x24 (node.hpp:1621)
>> V [libjvm.so+0x51e53b] Node_List::push(Node*)+0x33 (node.hpp:1653)
>> V [libjvm.so+0x149a51f] PhaseIdealLoop::register_new_node(Node*, Node*)+0xf3 (split_if.cpp:440)
>> V [libjvm.so+0x1197813] PhaseIdealLoop::register_new_node_with_ctrl_of(Node*, Node*)+0x3d (loopnode.hpp:1682)
>> V [libjvm.so+0x170b1d7] VTransformNode::register_new_node_from_vectorization(VLoopAnalyzer const&, Node*, Node*) const+0x47 (vtransform.cpp:357)
>> V [libjvm.so+0x170b124] VTransformVectorNode::register_new_node_from_vectorization_and_replace_scalar_nodes(VLoopAnalyzer const&, Node*) const+0x64 (vtransform.cpp:347)
>> V [libjvm.so+0x170af20] VTransformLoadVectorNode::apply(VLoopAnalyzer const&, GrowableArray<Node*> const&) const+0x244 (vtransform.cpp:322)
>> V [libjvm.so+0x1564232] VTransformGraph::apply_vectorization_for_each_vtnode(unsigned int&, unsigned int&) const+0xd2 (superword.cpp:2008)
>> V [libjvm.so+0x15643b0] VTransform::apply_vectorization() const+0x76 (superword.cpp:2029)
>> V [libjvm.so+0x15637bf] VTransform::apply()+0x201 (superword.cpp:1902)
>> V [libjvm.so+0x156359a] SuperWord::schedule_and_apply() const+0x15c (superword.cpp:1876)
>> V [libjvm.so+0x155d90e] SuperWord::SLP_extract()+0x192 (superword.cpp:477)
>> V [libjvm.so+0x155d705] SuperWord::transform_loop()+0x157 (superword.cpp:392)
>> V [libjvm.so+0x11ccbed] PhaseIdealLoop::auto_vectorize(IdealLoopTree*, VSharedData&)+0x12d (loopopts.cpp:4448)
>> V [libjvm.so+0x11af8fb] PhaseIdealLoop::build_and_optimize()+0x1869 (loopnode.cpp:4894)
>> V [libjvm.so+0x9d4331] PhaseIdealLoop::PhaseIdealLoop(PhaseIterGVN&, LoopOptsMode)+0x163 (loopnode.hpp:1117)
>> V [libjvm.so+0x9d4599] PhaseIdealLoop::optimize(PhaseIterGVN&, LoopOptsMode)+0x47 (loopnode.hpp:1197)
>> V [libjvm.so+0x9c46b8] Compile::optimize_loops(PhaseIterGVN&, LoopOptsMode)+0x68 (compile.cpp:2171...
>
> I tried but could not reproduce the issues with your fix. They do reproduce with baseline.
> Nighly tests are pending.
Thanks Richard and Vladimir. I'll wait for final confirmation from @reinrich before integrating this.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/20297#issuecomment-2246924295
More information about the hotspot-compiler-dev
mailing list