RFR(S) 8226406: JVM fails to detect mismatched or corrupt CDS archive
Calvin Cheung
calvin.cheung at oracle.com
Tue Jul 9 06:29:16 UTC 2019
On 7/8/19 4:38 PM, Jiangli Zhou wrote:
> Hi Calvin,
>
> - src/hotspot/share/include/cds.h
>
> 36 #define NUM_CDS_REGIONS 8
>
> The above change would need to be hand fixed when backporting to older
> versions. It's fine to include it in the current review, but it's
> better to create a separate bug and commit using that bug ID. So it
> will make the backports cleaner.
I don't think it is worthwhile filing a bug just for this line.
I've added a comment as follows:
36 #define NUM_CDS_REGIONS 8 // this must be the same as
MetaspaceShared::n_regions
>
> --------
>
> 39 #define CDS_END_MAGIC 0xf00babae
>
> What's the significance of the new end magic? Should the existing
> header validation be sufficient as long as it's done first?
It seems unnecessary now. I got rid of it.
>
> --------
>
> - src/hotspot/share/memory/filemap.cpp
>
> 901 if (_header->_magic != CDS_ARCHIVE_MAGIC && _header->_magic !=
> CDS_DYNAMIC_ARCHIVE_MAGIC) {
> 902 unsigned int expected_magic = is_static ? CDS_ARCHIVE_MAGIC :
> CDS_DYNAMIC_ARCHIVE_MAGIC;
> 903 log_info(cds)("_magic expected: 0x%08x", expected_magic);
> 904 log_info(cds)(" actual: 0x%08x", _header->_magic);
> 905 FileMapInfo::fail_continue("The shared archive file has a bad
> magic number.");
> 906 return false;
> 907 }
> ...
>
> 964 if (is_static) {
> 965 if (_header->_magic != CDS_ARCHIVE_MAGIC) {
> 966 fail_continue("Incorrect static archive magic number");
> 967 return false;
> 968 }
>
> There are two checks for _header->_magic in
> FileMapInfo::init_from_file now but behave differently. The second one
> can be removed. The first check at line 901 should check the _magic
> value based on the 'is_static' flag:
>
> unsigned int expected_magic = is_static ? CDS_ARCHIVE_MAGIC :
> CDS_DYNAMIC_ARCHIVE_MAGIC;
> if (_header->_magic != expected_magic) {
> ...
I've made the above change.
>
> --------
>
> Most of the work now in FileMapInfo::init_from_file should really
> belong to FileMapInfo::validate_header. It would be cleaner to simply
> FileMapInfo::init_from_file to be the following and move the rest to
> FileMapInfo::validate_header. Thoughts?
>
> 888 bool FileMapInfo::init_from_file(int fd, bool is_static) {
> 889 size_t sz = is_static ? sizeof(FileMapHeader) :
> sizeof(DynamicArchiveHeader);
> 890 size_t n = os::read(fd, _header, (unsigned int)sz);
> 891 if (n != sz) {
> 892 fail_continue("Unable to read the file header.");
> 893 return false;
> 894 }
> 895 return true;
> }
The _file_offset will be based on the size_t n and some other fields
(_paths_misc_info, SharedBaseAddress) will be set at lines 953 - 976.
Also, there's the following check in validate_header():
1859 if
(!ClassLoader::check_shared_paths_misc_info(_paths_misc_info,
_header->_paths_misc_info_size, is_static)) {
If the SharedPathsMiscInfo could be removed (JDK-8227370), then it is
possible that validate_header could be called within init_from_file. I
think we should defer this until JDK-8227370.
updated webrev:
http://cr.openjdk.java.net/~ccheung/8226406/webrev.01/
thanks,
Calvin
>
> Best regards,
>
> Jiangli
>
>
> On Mon, Jul 8, 2019 at 10:25 AM Jiangli Zhou <jianglizhou at google.com> wrote:
>> Hi Calvin,
>>
>> On Mon, Jul 8, 2019 at 10:00 AM Calvin Cheung <calvin.cheung at oracle.com> wrote:
>>> Hi Jiangli,
>>>
>>> On 7/7/19 5:12 PM, Jiangli Zhou wrote:
>>>> Hi Calvin,
>>>>
>>>> Per our off-mailing-list email exchange from the previous code review
>>>> for https://bugs.openjdk.java.net/browse/JDK-8211723, I created
>>>> https://bugs.openjdk.java.net/browse/JDK-8227370, 'Remove
>>>> SharedPathsMiscInfo'
>>> Thanks for filing the RFE.
>>>> . I think the crash caused by premature runtime accessing of
>>>> _paths_misc_info_size should be handled as part of JDK-8227370, rather
>>>> than further patching up the SharedPathsMiscInfo
>>> My current patch involves checking most the fields in
>>> CDSFileMapHeaderBase before accessing other fields. This part is
>>> applicable to other fields, not only to the _paths_misc_info_size. This
>>> bug existed for a while and I think it would be a good backport
>>> candidate for 11u. The patch for JDK-8211723 and the follow-up RFE
>>> JDK-8227370 are not necessary to be backported to 11u. I'd like to fix
>>> this bug first and then handle JDK-8227370 as a separate changeset.
>> That sounds like a good plan. A fix targeted for backporting should
>> have a clean-cut (less dependency) and controlled scope. Addressing
>> this incrementally in separate changesets is a suitable approach.
>>
>> I took a quick look over the weekend and noticed some issues with your
>> current patch. That's why I suggested to go with the complete removal
>> without spending extra effort on SharedPathsMiscInfo. I will need to
>> take a closer look and try to get back to you later today.
>>
>> Best regards,
>> Jiangli
>>
>>> thanks,
>>>
>>> Calvin
>>>
>>>> Thanks and regards,
>>>> Jiangli
>>>>
>>>> On Wed, Jul 3, 2019 at 5:59 PM Calvin Cheung <calvin.cheung at oracle.com> wrote:
>>>>> bug: https://bugs.openjdk.java.net/browse/JDK-8226406
>>>>>
>>>>> webrev: http://cr.openjdk.java.net/~ccheung/8226406/webrev.00/
>>>>>
>>>>> This bug was found during a bootcycle build when a shared archive built
>>>>> by a 64-bit JDK version is used by a 32-bit JDK version. It is due to
>>>>> some of the important header fields such as the _jvm_ident was not
>>>>> checked prior to accessinng other fields such as the _paths_misc_info_size.
>>>>>
>>>>> This fix involves checking most the fields in CDSFileMapHeaderBase
>>>>> before accessing other fields.
>>>>>
>>>>> Testing: tiers 1-3.
>>>>>
>>>>> thanks,
>>>>>
>>>>> Calvin
>>>>>
More information about the hotspot-runtime-dev
mailing list