RFR: 8335362: [Windows] Stack pointer increment in _cont_thaw stub can cause program to terminate with exit code 0xc0000005 [v3]
Patricio Chilano Mateo
pchilanomate at openjdk.org
Fri Sep 6 15:27:41 UTC 2024
> Please review the following fix. In stub routine cont_thaw() we bump the stack pointer by the maximum size required to copy the frames currently stored in the top stackChunk. On Windows this increment of the stack pointer doesn't play nice with the way Windows sets up and manages stack pages. When a thread is created the stack is divided in 3 memory regions: regular committed pages, guard pages, reserved pages. The first pages are committed and the thread can read/write to them with no issues. The next pages(~2/3) are guard pages, which are committed but have the PAGE_GUARD attribute. When the thread tries to access a guard page the first time, the PAGE_GUARD attribute is removed and a new guard page from the reserved region is added. The rest of the stack are reserved pages and if we try to access it directly we get an EXCEPTION_ACCESS_VIOLATION (see bug for more details). So the problem is that we can bump the stack pointer too much and set it to point somewhere in the reserved r
egion. When we then execute the call instruction for method thaw(), we get an EXCEPTION_ACCESS_VIOLATION exception, but because we cannot access the memory at the current stack pointer, we cannot call any method anymore, including the exception handler and the program terminates abruptly with exit code 0xc0000005.
>
> The fix implemented is to bang the stack pages one by one to let the Windows page protection take over. This is what we already do in os::map_stack_shadow_pages() in JavaCalls::call_helper(), and also in interpreter (bang_stack_shadow_pages()) and compiler (generate_stack_overflow_check()) code. It's actually also the same mechanism that Windows routine _chkstk used by the compiler employs (see bug comments with assembly code).
>
> I added new test BigStackChunk.java that reproduces the issue. The test fails without this fix and passes with it. I also tested the patch by running in mach5 tiers1-7.
>
> Thanks,
> Patricio
Patricio Chilano Mateo has updated the pull request incrementally with one additional commit since the last revision:
fix update in map_stack_shadow_pages
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/20862/files
- new: https://git.openjdk.org/jdk/pull/20862/files/a5326f1f..00d5e9c5
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=20862&range=02
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=20862&range=01-02
Stats: 3 lines in 1 file changed: 1 ins; 0 del; 2 mod
Patch: https://git.openjdk.org/jdk/pull/20862.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/20862/head:pull/20862
PR: https://git.openjdk.org/jdk/pull/20862
More information about the hotspot-dev
mailing list