RFR: 8365604: Null pointer dereference in src/hotspot/share/adlc/output_h.cpp ArchDesc::declareClasses()
David Holmes
dholmes at openjdk.org
Wed Aug 20 12:28:38 UTC 2025
On Fri, 15 Aug 2025 11:58:48 GMT, Artem Semenov <asemenov at openjdk.org> wrote:
> The defect has been detected and confirmed in the function ArchDesc::declareClasses() located in the file src/hotspot/share/adlc/output_h.cpp with static code analysis. This defect can potentially lead to a null pointer dereference.
>
> The pointer instr->_matrule is dereferenced in line 1952 without checking for nullptr, although earlier in line 1858 the same pointer is checked for nullptr, which indicates that it can be null.
>
> According to [this](https://github.com/openjdk/jdk/pull/26002#issuecomment-3023050372) comment, this PR contains fixes for similar cases in other places.
Some alignment nits where you have added additional condition clauses.
Some of these are difficult to evaluate in isolation and will need review from the specific component areas.
src/hotspot/share/adlc/output_h.cpp line 1952:
> 1950: }*/
> 1951: else if( instr->is_ideal_copy() &&
> 1952: (instr->_matrule != nullptr && instr->_matrule->_rChild != nullptr) &&
Suggestion:
(instr->_matrule != nullptr && instr->_matrule->_rChild != nullptr) &&
src/hotspot/share/c1/c1_LinearScan.cpp line 4422:
> 4420:
> 4421: if ((cur != nullptr) &&
> 4422: (cur->from() < split_pos)) {
Suggestion:
(cur->from() < split_pos)) {
src/hotspot/share/nmt/mallocSiteTable.cpp line 172:
> 170: index < pos_idx && head != nullptr;
> 171: index++, head = ((MallocSiteHashtableEntry*)head->next() == nullptr) ? head :
> 172: (MallocSiteHashtableEntry*)head->next()) {}
This doesn't look right to me. We check `head != nullptr` in the loop condition so we cannot reach the assignment if it is null.
src/hotspot/share/opto/vectorIntrinsics.cpp line 1319:
> 1317: log_if_needed(" ** not supported: arity=%d op=%s vlen=%d etype=%s atype=%s ismask=no",
> 1318: is_scatter, is_scatter ? "scatter" : "gather",
> 1319: num_elem, type2name(elem_bt), type2name(arr_type->elem()->array_element_basic_type()));
There is a bug here but I'm not sure it is what you think it is.
-------------
Changes requested by dholmes (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/26798#pullrequestreview-3136325292
PR Review Comment: https://git.openjdk.org/jdk/pull/26798#discussion_r2287976814
PR Review Comment: https://git.openjdk.org/jdk/pull/26798#discussion_r2287984002
PR Review Comment: https://git.openjdk.org/jdk/pull/26798#discussion_r2287993050
PR Review Comment: https://git.openjdk.org/jdk/pull/26798#discussion_r2287996530
More information about the hotspot-jfr-dev
mailing list