RFR (L): JDK-6843347 Boundary values in some public GC options cause crashes

Fri May 3 08:46:03 UTC 2013

Hi all,

  please review the following change that adds argument checking for
many non-boolean GC related options to avoid crashes, DOSes etc. when
passing particular option values.
The change only covers values accessible in a product build (product,
diagnostic, experimental and managed or so globals).

Bugs.sun
http://bugs.sun.com/view_bug.do?bug_id=6843347

JBS:
https://jbs.oracle.com/bugs/browse/JDK-6843347

Webrev:
http://cr.openjdk.java.net/~tschatzl/6843347/webrev/

Testing:
jprt

Following is a list stating the reason for the particular check for each
changed global variable. Note that these changes also resulted in (one
or two) simplifications in code (e.g. checks/asserts that a int variable
is larger than zero). For most variables the problem is actually easy to
spot if you look for such errors, only some are more tricky. This
information is presented here.

NUMAInterleaveGranularity - must be > 0, task sizing, crash at
os_windows.cpp:2866
NUMAPageScanRate - negative value gives an overflow in
MutableNUMASpace::scan_pages(); intx->uintx
NUMAChunkResizeWeight - percentage boundary check; intx->uintx
NUMASpaceResizeRate - negative value gives overflow in
MutableNUMASpace::initialize() and other errors following; intx->uintx

LogEventsBufferEntries - used to size buffer that is allocated on the
heap, must be > 0; intx->uintx
HeapSizePerGCThread - used as divisor
GCTaskTimeStampEntries - used to size buffer allocated on the heap

ParallelGCBufferWastePct - overflow and degraded performance;
percentage; intx->uintx
TargetPLABWastePct - percentage; used as divisor; intx->uintx

ParGCStridesPerThread - used as divisor in
CardTableModRefBS::process_stride(); used for task sizing, must be > 0
ParGCCardsPerStrideChunk - incorrect operation in
CardTableModRefBS::process_stride()

CMSOldPLABNumRefills - used as divisor
CMSOldPLABToleranceFactor - used as divisor

CMSOldPLABMin - results in use in divisor (and failing assertion)
CMSOldPLABMax - results in use in divisor (and failing assertion)

CMSYoungGenPerWorker - must be > 0, although it results in nothing
serious since other safeguards help, but is unexpected. intx->uintx
CMS_FLSWeight - percentage

FLSCoalescePolicy - invalid value gives ShouldNotReachHere()

CMS_SweepWeight - percentage

CMSMaxAbortablePrecleanTime - time span, should not be negative

CMSRescanMultiple - used for task sizing, should be > 0
CMSConcMarkMultiple - used for task sizing, should be > 0

CMSPrecleanIter - must be < 10, fails assertion otherwise
CMSPrecleanDenominator, CMSPrecleanNumerator - other values fail
assertion in concurrentMarkSweepGeneration
CMSScheduleRemarkEdenPenetration - percentage
CMSScheduleRemarkSamplingRatio - must be > 0, div by zero otherwise
CMSBitMapYieldQuantum - used for task sizing, should be > 0
CMSTriggerRatio - percentage
CMSIsTooFullPercentage - percentage

YoungGenerationSizeSupplementDecay - must be > 0, div by zero otherwise
TenuredGenerationSizeSupplementDecay - must be > 0, div by zero
otherwise

WorkStealingSleepMillis - intx->uintx

MinRAMFraction - must be > 0, div by zero otherwise
InitialRAMFraction - ""
MaxRAMFraction - ""
DefaultMaxRAMFraction - ""

AdaptiveTimeWeight - percentage
AdaptiveSizeDecrementScaleFactor - must be > 0, div by zero otherwise

MinTLABSize - must be > 0, buffer allocation
TLABRefillWasteFraction - must be > 0, div by zero otherwise

MaxTenuringThreshold - 4 bit size limitation due to available storage
InitialTenuringThreshold - must be 0 <= x <= MaxTenuringThreshold
TargetSurvivorRatio - percentage
MarkSweepDeadRatio - percentage

MarkSweepAlwaysCompactCount - must be > 0, division by zero otherwise.
Note that previously there has been code at the location where it was
used that checked for zero values; now the argument processing fixes up
the value as necessary. intx->uintx

QueuedAllocationWarningCount - intx->uintx

ParallelOldDeadWoodLimiterMean - documentation mentions value from
0..100
ParallelOldDeadWoodLimiterStdDev - documentation mentions value from
0..100

ParallelOldGCSplitInterval - used as divisor

Thanks,
Thomas