RFR: 8254231: Implementation of Foreign Linker API (Incubator) [v15]

Jorn Vernee jvernee at openjdk.java.net
Mon Nov 9 11:12:05 UTC 2020 

On Mon, 9 Nov 2020 06:07:32 GMT, Nick Gasson <ngasson at openjdk.org> wrote:

>> Maurizio Cimadamore has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 64 commits:
>> 
>>  - Merge branch '8254162' into 8254231_linker
>>  - Fix post-merge issues caused by 8219014
>>  - Merge branch 'master' into 8254162
>>  - Addess remaining feedback from @AlanBateman and @mrserb
>>  - Address comments from @AlanBateman
>>  - Fix typo in upcall helper for aarch64
>>  - Merge branch '8254162' into 8254231_linker
>>  - Merge branch 'master' into 8254162
>>  - Fix issues with derived buffers and IO operations
>>  - More 32-bit fixes for TestLayouts
>>  - ... and 54 more: https://git.openjdk.java.net/jdk/compare/a50fdd54...b38afb3f
>
> src/hotspot/share/opto/output.cpp line 1697:
> 
>> 1695:       current_offset = cb->insts_size();
>> 1696: 
>> 1697:       assert(!is_mcall || (call_returns[block->_pre_order] == (uint) current_offset), "ret_addr_offset() did not match size of emitted code");
> 
> This assertion is too strong: on AArch64 we generate additional instructions after the BLR (call) instruction for certain types of call. For example
> 
>   
>   0x0000ffff790f00dc:   adr     x9, 0x0000ffff790f00f4
>   0x0000ffff790f00e0:   mov     x8, #0x5714                     // #22292
>   0x0000ffff790f00e4:   movk    x8, #0x8d3d, lsl #16
>   0x0000ffff790f00e8:   movk    x8, #0xffff, lsl #32
>   0x0000ffff790f00ec:   stp     xzr, x9, [sp, #-16]!
>   0x0000ffff790f00f0:   blr     x8
>   0x0000ffff790f00f4:   add     sp, sp, #0x10                          <== ret_addr_offset() is here
>   0x0000ffff790f00f8:   Address 0x0000ffff790f00f8 is out of bounds.   <== current_offset is here
> 
> I think the `==` should be `<=`. (Although this still fails sometimes on AArch64, but I believe it exposes a real bug. I've opened JDK-8256025 and will fix this shortly.)

Ok, that seems fine to me. IIRC the problem this was trying to catch is a ret_addr_offset that is too large, which might cause a later call's oop map to be overridden. So, using `<=` should still work. At least if the code between ret_addr_offset and current_offset is guaranteed not to contain any calls or other safepoints.

-------------

PR: https://git.openjdk.java.net/jdk/pull/634

More information about the security-dev mailing list