RFR: 8365604: Null pointer dereference in src/hotspot/share/adlc/output_h.cpp ArchDesc::declareClasses() [v2]
Andrew Dinn
adinn at openjdk.org
Thu Aug 21 10:01:59 UTC 2025
On Thu, 21 Aug 2025 09:08:58 GMT, Artem Semenov <asemenov at openjdk.org> wrote:
>> src/hotspot/share/nmt/mallocSiteTable.cpp line 172:
>>
>>> 170: index < pos_idx && head != nullptr;
>>> 171: index++, head = ((MallocSiteHashtableEntry*)head->next() == nullptr) ? head :
>>> 172: (MallocSiteHashtableEntry*)head->next()) {}
>>
>> This doesn't look right to me. We check `head != nullptr` in the loop condition so we cannot reach the assignment if it is null.
>
> A situation is possible where head becomes nullptr when head->next() returns nullptr on the last iteration. Then, after the loop finishes, assert(head != nullptr) will trigger (only in debug mode), and return head->data() will cause a program error
Hmm, is it possible?
Perhaps you could explain how pos_idx is being used in this loop to guard against that happening and why that does not make this safe?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26798#discussion_r2290543955
More information about the hotspot-jfr-dev
mailing list