RFR: 8302218: CHeapBitMap::free frees with incorrect size

Daohan Qu duke at openjdk.org
Mon May 22 13:59:52 UTC 2023 

On Mon, 22 May 2023 12:21:10 GMT, Axel Boldt-Christmas <aboldtch at openjdk.org> wrote:

>> This patch should fix [JDK-8302218](https://bugs.openjdk.org/browse/JDK-8302218).
>> 
>> In destructor of `CHeapBitMap`, it invokes `free()` to free allocated memory:
>> https://github.com/openjdk/jdk/blob/b3cb82b859d22b18343d125349a5aebc0afb8576/src/hotspot/share/utilities/bitMap.cpp#L133-L135
>> 
>> `free()`'s argument should be size in words, according to:
>> https://github.com/openjdk/jdk/blob/b3cb82b859d22b18343d125349a5aebc0afb8576/src/hotspot/share/utilities/bitMap.cpp#L141-L143
>> 
>> But the destructor pass the argument of `size()` (which returns `_size`). It is "size in bits" according to
>> https://github.com/openjdk/jdk/blob/b3cb82b859d22b18343d125349a5aebc0afb8576/src/hotspot/share/utilities/bitMap.hpp#L63-L65
>> 
>> Instead, it should use the return value of `size_in_words()` to invoke `free()`.
>> 
>> Once `ArrayAllocatorMallocLimit` option is set, `munmap()` may be used by `free()`, which does use the size argument and this may cause crash.
>> 
>> I have tested this patch for tier 1-3 on x86-64 linux.
>
> Fix looks good. 
> 
> Wonder if there is any value in adding a test which lowers ArrayAllocatorMallocLimit to verify that this is working, and that the bug is not reintroduced.

Thanks for your review @xmas92.

> Wonder if there is any value in adding a test which lowers ArrayAllocatorMallocLimit to verify that this is working, and that the bug is not reintroduced.

IMHO, exploiting this bug to crack VM is a little bit hard. This bug may cause crash because:

1. `size_in_bits` is larger than `size_in_words`, which causes `munmap` to unmap more memory regions that what is wanted
2. and following execution may accidentally touch the unmapped regions (this could be hard to trigger)

I think this is a bug that may cause crashes unexpectedly someday and need to be fixed.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/14079#issuecomment-1557267710

More information about the hotspot-runtime-dev mailing list