RFR: 8366062: [ubsan] add non-zero offset to nullptr in cds/archiveBuilder.cpp [v6]

Tue Oct 21 13:42:50 UTC 2025

On Mon, 20 Oct 2025 17:06:16 GMT, Ioi Lam <iklam at openjdk.org> wrote:

>> Afshin Zafari has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   fix after wrong merge.
>
> src/hotspot/share/cds/archiveBuilder.cpp line 1047:
> 
>> 1045: address ArchiveBuilder::offset_to_buffered_address(u4 offset) const {
>> 1046:   // As zero is allowed for _requested_static_archive_bottom, use integer arithmetic to avoid UB pointer arithmetic.
>> 1047:   address requested_addr = (address)((uintptr_t)_requested_static_archive_bottom + offset);
> 
> We should avoid this problem altogether with this:
> 
> 
> - address requested_addr = _requested_static_archive_bottom + offset;
> - address buffered_addr = requested_addr - _buffer_to_requested_delta;
> - address buffered_addr = _buffer_bottom + offset;

The error for this is: 

----------System.err:(41/4910)----------
TEST FAILED: Error processing option SharedBaseAddress with valid value '-server -XX:+UseG1GC -XX:+UnlockDiagnosticVMOptions -XX:SharedArchiveFile=TestOptionsWithRanges.jsa -Xshare:dump -XX:SharedBaseAddress=0'! JVM exited with unexpected error code = 134 [0x86]
stdout content[]
stderr content[/Users/afshin/scratch/8366062_ubsan_nullptr_plus_nz_offset/src/hotspot/share/cds/archiveBuilder.cpp:1036:61: runtime error: applying non-zero offset 3723624 to null pointer
    #0 0x10930c0a4 in ArchiveBuilder::offset_to_buffered_address(unsigned int) const archiveBuilder.cpp:1036
    #1 0x1095ce694 in RunTimeClassInfo::enum_klass_static_fields_addr() const runTimeClassInfo.hpp:163
    #2 0x10a9337b4 in RunTimeClassInfo::init(DumpTimeClassInfo&) runTimeClassInfo.cpp:75
    #3 0x10ab2af34 in CopySharedClassInfoToArchive::do_entry(InstanceKlass*, DumpTimeClassInfo&) systemDictionaryShared.cpp:1296
    #4 0x10ab2abb4 in void DumpTimeSharedClassTable::iterate_all_live_classes<void DumpTimeSharedClassTable::iterate_all_live_classes<CopySharedClassInfoToArchive>(CopySharedClassInfoToArchive*) const::'lambda'(InstanceKlass*, DumpTimeClassInfo&)>(CopySharedClassInfoToArchive) const::'lambda'(InstanceKlass*, DumpTimeClassInfo&)::operator()(InstanceKlass*, DumpTimeClassInfo&) const dumpTimeClassInfo.inline.hpp:51
    #5 0x10ab2a9f4 in void HashTableBase<FixedHashTableStorage<15889u, InstanceKlass*, DumpTimeClassInfo>, InstanceKlass*, DumpTimeClassInfo, (AnyObj::allocation_type)2, (MemTag)13, &unsigned int DumpTimeSharedClassTable_hash<InstanceKlass>(InstanceKlass* const&), &bool primitive_equals<InstanceKlass*>(InstanceKlass const&, InstanceKlass const&)>::iterate<void HashTableBase<FixedHashTableStorage<15889u, InstanceKlass*, DumpTimeClassInfo>, InstanceKlass*, DumpTimeClassInfo, (AnyObj::allocation_type)2, (MemTag)13, &unsigned int DumpTimeSharedClassTable_hash<InstanceKlass>(InstanceKlass* const&), &bool primitive_equals<InstanceKlass*>(InstanceKlass const&, InstanceKlass const&)>::iterate_all<void DumpTimeSharedClassTable::iterate_all_live_classes<void DumpTimeSharedClassTable::iterate_all_live_classes<CopySharedClassInfoToArchive>(InstanceKlass*) const::'lambda'(InstanceKlass*, DumpTimeClassInfo&)>(InstanceKlass) const::'lambda'(InstanceKlass*, DumpTimeClassInfo&)>(InstanceKlass) const:
 :'lambda'(InstanceKlass*&, DumpTimeClassInfo&)>(InstanceKlass) const hashTable.hpp:273
    #6 0x10ab2a914 in void DumpTimeSharedClassTable::iterate_all_live_classes<void DumpTimeSharedClassTable::iterate_all_live_classes<CopySharedClassInfoToArchive>(CopySharedClassInfoToArchive*) const::'lambda'(InstanceKlass*, DumpTimeClassInfo&)>(CopySharedClassInfoToArchive) const dumpTimeClassInfo.inline.hpp:60
    #7 0x10ab26c84 in SystemDictionaryShared::write_dictionary(RunTimeSharedDictionary*, bool) systemDictionaryShared.cpp:1327
    #8 0x10ab26da0 in SystemDictionaryShared::write_to_archive(bool) systemDictionaryShared.cpp:1334
    #9 0x1092e899c in VM_PopulateDumpSharedSpace::dump_read_only_tables(AOTClassLocationConfig*&) aotMetaspace.cpp:627
    #10 0x1092e8ebc in VM_PopulateDumpSharedSpace::doit() aotMetaspace.cpp:696
    #11 0x10acb7d18 in VM_Operation::evaluate() vmOperations.cpp:74
    #12 0x10acd9694 in VMThread::evaluate_operation(VM_Operation*) vmThread.cpp:284
    #13 0x10acda358 in VMThread::inner_execute(VM_Operation*) vmThread.cpp:421
    #14 0x10acd92cc in VMThread::loop() vmThread.cpp:487
    #15 0x10acd8ec8 in VMThread::run() vmThread.cpp:177
    #16 0x10ab8dd64 in Thread::call_run() thread.cpp:243
    #17 0x10a79e998 in thread_native_entry(Thread*) os_bsd.cpp:604
    #18 0x19387fbc4 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x6bc4)
    #19 0x19387ab7c in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1b7c)

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26983#discussion_r2448348759