RFR: 8258077: Using -Xcheck:jni can lead to a double-free after JDK-8193234
David Holmes
david.holmes at oracle.com
Tue Dec 15 05:07:55 UTC 2020
Hi Dmitry,
On 15/12/2020 4:51 am, Dmitry Timofeev wrote:
> Hi David,
>
> Thanks for submitting the issues!
>
>> This particular issue is only about the GetCritical API in relation to
> the change in JDK-8193234 which introduced the explicit free of the
> internally allocated buffer used only for Xcheck:jni.
>
> As
[`check_wrapped_array_release`](https://github.com/openjdk/jdk/blob/976acddeb5a8df1e868269787c023306aad3fe4a/src/hotspot/share/prims/jniCheck.cpp#L422-L441),
modified in JDK-8193234, is re-used in both
[ReleaseCritical](https://github.com/openjdk/jdk/blob/976acddeb5a8df1e868269787c023306aad3fe4a/src/hotspot/share/prims/jniCheck.cpp#L1887)
and
[ReleaseScalar](https://github.com/openjdk/jdk/blob/976acddeb5a8df1e868269787c023306aad3fe4a/src/hotspot/share/prims/jniCheck.cpp#L1717)
in checked mode, it is not just GetCritical API that is affected, but
also GetXArrayElements methods.
Thanks for the correction - I'm not sure if I realized at the time that
this affected both API's. :(
David
-----
> That is, a supposedly valid client code:
>
> var buf = env->GetByteArrayElements(jarray, ...);
> // Just commit, do not free
> env->ReleaseByteArrayElements(jarray, buf, JNI_COMMIT);
> // Commit and free
> env->ReleaseByteArrayElements(jarray, buf, 0);
>
> will result in an error with `check:jni` enabled. However, an incomplete usage, with a leak in client code:
>
>
> var buf = env->GetByteArrayElements(jarray, ...);
> // Just commit, do not free
> env->ReleaseByteArrayElements(jarray, buf, JNI_COMMIT);
> // buf is not freed
>
> will neither trigger an error, nor cause a `buf` leak with `check:jni` mode enabled (because of JDK-8193234), but will leak without JNI checks.
>
> -------------
>
> PR: https://git.openjdk.java.net/jdk/pull/1697
>
More information about the hotspot-dev
mailing list