RFR: 8359200: Memory corruption in MStack::push [v2]
Tobias Hartmann
thartmann at openjdk.org
Thu Jun 12 11:41:54 UTC 2025
> I found this by accident when running testing with non-default `-XX:OptoNodeListSize` (see JBS for details). The problem is that `MStack::push` assumes that `Node_Stack::grow` will always grow the stack by at least two (line 69) and it then proceeds to put two items in:
> https://github.com/openjdk/jdk/blob/db6fa5923cd0394dfb44c7e46c3e7ccc102a933a/src/hotspot/share/opto/matcher.hpp#L67-L74
>
> But after [JDK-8336999](https://bugs.openjdk.org/browse/JDK-8336999), `Node_Stack::grow` will only grow the stack if needed:
> https://github.com/openjdk/jdk/blob/db6fa5923cd0394dfb44c7e46c3e7ccc102a933a/src/hotspot/share/opto/node.cpp#L3027-L3031
>
> However, if there's **one** empty slot, the stack will not be grown and `MStack::push` then puts **two** items on the stack which leads to memory corruption.
>
> I refactored the push method to delegate to `Node_Stack::push` which does the right thing and, similar to [JDK-8343056](https://bugs.openjdk.org/browse/JDK-8343056), also added `maybe_grow` methods for all the containers affected by the original change. For additional coverage, I moved the `_nesting.check` calls to before the check that determines if we grow.
>
> I only ever observed this with a non-default and odd value for `-XX:OptoNodeListSize` but I'm not 100% convinced that it can't happen with the default value, so I'm treating this as P2 and will backport the fix to JDK 25.
>
> @shipilev Since you worked on [JDK-8343056](https://bugs.openjdk.org/browse/JDK-8343056), could you please take a look at this?
>
> Thanks,
> Tobias
Tobias Hartmann has updated the pull request incrementally with one additional commit since the last revision:
Improved assert message
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/25751/files
- new: https://git.openjdk.org/jdk/pull/25751/files/ec817585..8ac8fcd0
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=25751&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=25751&range=00-01
Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/jdk/pull/25751.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/25751/head:pull/25751
PR: https://git.openjdk.org/jdk/pull/25751
More information about the hotspot-dev
mailing list