[jdk21u-dev] RFR: 8345296: AArch64: VM crashes with SIGILL when prctl is disallowed
Aleksey Shipilev
shade at openjdk.org
Thu Dec 12 11:14:36 UTC 2024
On Wed, 11 Dec 2024 17:24:05 GMT, Kerem Kat <krk at openjdk.org> wrote:
> Ref. https://github.com/openjdk/jdk/pull/22479
>
>> We have caught this in some prod environments, where prctl is forbidden by the sandboxing mechanism. This fails the JVM
>
> Backport depends on [JDK-8339063](https://bugs.openjdk.org/browse/) which is included.
>
> JDK-8339063 did not apply cleanly, resolved conflict in `src/hotspot/cpu/aarch64/aarch64.ad` by keeping const qualifiers. These were removed in [JDK-8310948](https://bugs.openjdk.org/browse/JDK-8310948) which doesn't apply cleanly either.
>
> Additional testing:
>
> - [x] Verified the bug is fixed with the seccomp repro from [JDK-8345296](https://bugs.openjdk.org/browse/JDK-8345296?focusedId=14727386&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14727386): Segfault without the patch, works with.
I am not entirely convinced the modifications that [JDK-8339063](https://bugs.openjdk.org/browse/JDK-8339063) does to this code are 100% safe. It tries to install the max vector size and exits the VM if not possible? That sounds like a behavioral change with unknown consequences. And unfortunately, that patch is only in JDK 24, so we do not yet know the impact well. Looks like we are mixing that backport because we need access to new `FloatRegister` constants?
If so, I think it would be safer to just take that particular hunk in `register_aarch64.hpp` only. Then if/when we do [JDK-8339063](https://bugs.openjdk.org/browse/JDK-8339063) backport, it would slide right in. And meanwhile, we keep our reliability posture better.
-------------
PR Comment: https://git.openjdk.org/jdk21u-dev/pull/1222#issuecomment-2538581467
More information about the jdk-updates-dev
mailing list