RFR: 8130212: Thread::current() might access freed memory on Solaris
Christian Thalinger
christian.thalinger at oracle.com
Wed Jul 29 22:38:24 UTC 2015
> On Jul 29, 2015, at 3:25 PM, David Holmes <david.holmes at oracle.com> wrote:
>
> <replying on hotspot-dev>
>
> On 30/07/2015 1:28 AM, Christian Thalinger wrote:
>> Now that threadLS_solaris_sparc.{cpp,hpp} and threadLS_solaris_x86.{cpp,hop} look exactly the same it would be nice to merge them into threadLS_solaris.{cpp,hpp}.
>
> In the next phase:
>
> https://bugs.openjdk.java.net/browse/JDK-8132510
>
> these files will disappear completely. Can this wait till then?
Yes.
>
> Thanks,
> David
>
>>> On Jul 28, 2015, at 10:56 PM, David Holmes <david.holmes at oracle.com> wrote:
>>>
>>> Moved to hotspot-dev so the compiler folk also see this for the MacroAssembler changes.
>>>
>>> David
>>>
>>> On 29/07/2015 3:53 PM, David Holmes wrote:
>>>> I forgot to credit Dave Dice with the suggestion to modernize this code.
>>>>
>>>> David
>>>>
>>>> On 29/07/2015 3:46 PM, David Holmes wrote:
>>>>> Summary: replace complex custom code for maintaining ThreadLocalStorage
>>>>> with compiler supported thread-local variables (Solaris only)
>>>>>
>>>>> This is a non-public bug so let me explain with some background, the
>>>>> bug, and then the fix - which involves lots of complex-code deletion and
>>>>> addition of some very simple code. :)
>>>>>
>>>>> webrev: http://cr.openjdk.java.net/~dholmes/8130212/webrev/
>>>>>
>>>>> In various parts of the runtime and in compiler generated code we need
>>>>> to get a reference to the (VM-level) Thread* of the currently executing
>>>>> thread. This is what Thread::current() returns. For performance reasons
>>>>> we also have a fast-path on 64-bit where the Thread* is stashed away in
>>>>> a register (g7 on sparc, r15 on x64).
>>>>>
>>>>> So Thread::current() is actually a slow-path mechanism and it delegates
>>>>> to ThreadLocalStorage::thread().
>>>>>
>>>>> On some systems ThreadLocalStorage::thread utilizes a caching mechanism
>>>>> to try and speed up access to the current thread. Otherwise it calls
>>>>> into yet another "slow" path which uses the available platform
>>>>> thread-specific-storage APIs.
>>>>>
>>>>> Compiled code also has a slow-path get_thread() method which uses
>>>>> assembly code to invoke the same platform thread-specific-storage APIs
>>>>> (in some cases - on sparc it simply calls ThreadLocalStorage::thread()).
>>>>>
>>>>> On Solaris 64-bit (which is all we support today) there is a simple
>>>>> 1-level thread cache which is an array of Thread*. If a thread doesn't
>>>>> find itself in the slot for the hash of its id it inserts itself there.
>>>>> As a thread terminates it clears out its ThreadLocalStorage values
>>>>> including any cached reference.
>>>>>
>>>>> The bug is that we have potential for a read-after-free error due to
>>>>> this code:
>>>>>
>>>>> 46 uintptr_t raw = pd_raw_thread_id();
>>>>> 47 int ix = pd_cache_index(raw); // hashes id
>>>>> 48 Thread* candidate = ThreadLocalStorage::_get_thread_cache[ix];
>>>>> 49 if (candidate->self_raw_id() == raw) {
>>>>> 50 // hit
>>>>> 51 return candidate;
>>>>> 52 } else {
>>>>> 53 return ThreadLocalStorage::get_thread_via_cache_slowly(raw,
>>>>> ix);
>>>>> 54 }
>>>>>
>>>>> The problem is that the value read as candidate could be a thread that
>>>>> (after line 48) terminated and was freed. But line #49 then reads the
>>>>> raw id of that thread, which is then a read-after-free - which is a "Bad
>>>>> Thing (TM)".
>>>>>
>>>>> There's no simple fix for the caching code - you would need a completely
>>>>> different approach (or synchronization that would nullify the whole
>>>>> point of the cache).
>>>>>
>>>>> Now all this ThreadLocalStorage code is pretty old and was put in place
>>>>> to deal with inadequacies of the system provided thread-specific-storage
>>>>> API. In fact on Solaris we even by-pass the public API
>>>>> (thr_getspecific/thr_setspecific) when we can and implement our own
>>>>> version using lower-level APIs available in the T1/T2 threading
>>>>> libraries!
>>>>>
>>>>> In mid-2015 things have changed considerably and we have reliable and
>>>>> performant support for thread-local variables at the C+ language-level.
>>>>> So the way to maintain the current thread is simply using:
>>>>>
>>>>> // Declaration of thread-local variable
>>>>> static __thread Thread * _thr_current
>>>>>
>>>>> inline Thread* ThreadLocalStorage::thread() {
>>>>> return _thr_current;
>>>>> }
>>>>>
>>>>> inline void ThreadLocalStorage::set_thread(Thread* thread) {
>>>>> _thr_current = thread;
>>>>> }
>>>>>
>>>>> And all the complex ThreadLocalStorage code with caching etc all
>>>>> vanishes!
>>>>>
>>>>> For my next trick I plan to try and remove the ThreadLocalStorage class
>>>>> completely by using language-based thread-locals on all platforms. But
>>>>> for now this is just Solaris and so we still need the ThreadLocalStorage
>>>>> API. However a lot of that API is not needed any more on Solaris so I
>>>>> have excluded it from there in the shared code (ifndef SOLARIS). But to
>>>>> avoid changing other shared-code callsites of ThreadLocalStorage I've
>>>>> kept part of the API with trivial implementations on Solaris.
>>>>>
>>>>> Testing: JPRT
>>>>> All hotspot regression tests
>>>>>
>>>>> I'm happy to run more tests but the nice thing about such low-level code
>>>>> is that if it is broken, it is always broken :) Every use of
>>>>> Thread::current or MacroAssembler::get_thread now hits this code.
>>>>>
>>>>> Performance: I've run a basic set of benchmarks that is readily
>>>>> available to me on our performance testing system. The best way to
>>>>> describe the result is neutral. There are some slight wins, and some
>>>>> slight losses, with most showing no statistical difference. And even the
>>>>> "wins" and "losses" are within the natural variations of the benchmarks.
>>>>> So a lot of complex code has been replaced by simple code and we haven't
>>>>> lost any observable performance - which seems like a win to me.
>>>>>
>>>>> Also product mode x64 libjvm.so has shrunk by 921KB - which is a little
>>>>> surprising but very nice.
>>>>>
>>>>> Thanks,
>>>>> David
>>
More information about the hotspot-dev
mailing list