[8u] RFR for JDK-8157548: JVM crashes sometimes while starting

Ioi Lam ioi.lam at oracle.com
Mon Sep 19 18:38:36 UTC 2016 

Hi Shafi,

The fix is correct. However, the crash is not inside strncmp.

I reproduced this bug inside gdb. When the crash happened, the 
parsed_name Symbol is "j", which has one character. By luck, it occupies 
the same space as a freed copy of the Symbol "java/lang/String". For 
space saving, the string content in the Symbol is not nul terminated. Thus:

     strncmp((const char*)parsed_name->bytes(), pkg, strlen(pkg))

would return true. However, when we later call

     char* name = parsed_name->as_C_string();
     char* index = strrchr(name, '/');
    *index = '\0'; // <------- crash

name will be the 0-terminated string "j", and index would be NULL 
(because '/' is not contained inside name.) Storing into index would 
cause the SEGV.

Thanks
- Ioi


On 9/18/16 10:14 PM, Shafi Ahmad wrote:
> Hi,
>
> Please review the small code change for bug: "JDK-8157548: JVM crashes sometimes while starting" on jdk8u-dev
>
> Summary:
> int strncmp(const char *s1, const char *s2, size_t n);
>
> s1 = "abcdefgh" // Assume this is not null terminated string.
> s2 = "abcdefghijk"
> n = 10
>
> In case if s1 is not null terminated then for above input strncmp may crash.
>
> In expression marked as (B) parsed_name->bytes() returns base address of non-null terminated string buffer.
>
> +  size_t pkglen = strlen(pkg);
>     if (!HAS_PENDING_EXCEPTION &&
>         !class_loader.is_null() &&
>         parsed_name != NULL &&
> -      !strncmp((const char*)parsed_name->bytes(), pkg, strlen(pkg))) {
> +      parsed_name->utf8_length() >= (int)pkglen &&                             // ------------------------------ (A)
> +      !strncmp((const char*)parsed_name->bytes(), pkg, pkglen)) { //------------------------------ (B)
>
> Adding expression marked as (A) avoid the above similar input  scenario.
>
> Webrev: http://cr.openjdk.java.net/~shshahma/8157548/webrev.00/
> Jdk8 bug: https://bugs.openjdk.java.net/browse/JDK-8157548
>
> Test:  Run jprt
>
> Note: Thanks to Ioi for providing the code change.
>
> Regards,
> Shafi

More information about the hotspot-dev mailing list