RFR: 8340297: Use-after-free recognition for metaspace and class space [v8]
    Thomas Stuefe 
    stuefe at openjdk.org
       
    Thu Sep 25 15:01:53 UTC 2025
    
    
  
> This patch will give us use-after-free recognition for Metaspace and Class space. 
> 
> Currently, checks for Klass validity typically only perform a variation of `Metaspace::contains` and some other basic tests. These checks won't find cases where the Klass had been prematurely freed (e.g., after class redefinition), nor cases of unloaded classes if the underlying metaspace chunks have not been uncommitted, which is quite common. 
> 
> The patch also provides us with improved analysis methods in case we encounter problems. E.g., answering whether the Klass had been redefined or unloaded.
> 
> The implementation aims to be simple, fast, and safe against false positives. There is a small but non-null chance that we could get false negatives, but that cannot be avoided.
> 
> How this works:
> 
> - In `class Metadata`, we introduce a 32-bit token that holds the type of the object (1). It replaces the old "is_valid" field of the same size. That one was of limited use since any non-null garbage in those four bytes would be read as valid.
> - To check a Metadata for validity, the token is checked. Checks are done with SafeFetch, so they can be done with questionable pointers (e.g. into uncommitted metaspace after class unloading)
> - When metaspace is freed (bulk free after class unloading), the released chunks are zapped, destroying all tokens in the area.
> - When metaspace is freed (prematurely, e.g., after class redefinition), the released blocks are zapped.
> - The new checks replace Metadata::is_valid and supplement some other metadata checks done in GCs
> 
> Testing: The patch has been extensively tested manually, at Oracle, and SAP. Tests were thorough to not only catch errors in the patch, but also to see if the patch would uncover a lot of existing sleeper bugs. So far, we only found a single bug in Shenandoah.
> 
> Note: I did not yet hook up the new test to c1/c2 compiled code (there are already unimplemented functions for that). That is possible, but left for a later RFE.
Thomas Stuefe has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 18 commits:
 - Merge master
 - Feedback Johan, Axel
 - Merge branch 'master' into JDK-8340297-Metaspace-API-for-checking-if-address-is-in-use
 - remove stray macro
 - feedback Caspar
 - Merge branch 'master' into JDK-8340297-Metaspace-API-for-checking-if-address-is-in-use
 - Feedback Johan
 - Merge branch 'openjdk:master' into JDK-8340297-Metaspace-API-for-checking-if-address-is-in-use
 - merge master
 - copyrights
 - ... and 8 more: https://git.openjdk.org/jdk/compare/569e7808...b957115c
-------------
Changes: https://git.openjdk.org/jdk/pull/25891/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=25891&range=07
  Stats: 483 lines in 26 files changed: 399 ins; 27 del; 57 mod
  Patch: https://git.openjdk.org/jdk/pull/25891.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/25891/head:pull/25891
PR: https://git.openjdk.org/jdk/pull/25891
    
    
More information about the hotspot-dev
mailing list