RFR: 8261395: C1 crash "cannot make java calls from the native compiler"

Harold Seigel hseigel at openjdk.java.net
Fri May 7 14:08:55 UTC 2021


On Fri, 7 May 2021 05:26:41 GMT, David Holmes <dholmes at openjdk.org> wrote:

> If a nest host and a nest member are associated with different protection domains it can lead to execution of Java code (to validate the "new" protection domain) during a nestmate access check, if nest membership verification has not yet been performed. This will cause assertion or guarantee failures if executed by a JIT compiler thread during access checks.
> 
> After much discussion and trying different solutions it was decided that the existing logic for nest membership validation unnecessarily tries to resolve constant-pool entries, when it suffices that the symbolic entry in the constant-pool has the same name as the class being checked. Given this check occurs after we have verified the nest host and the purported member are loaded by the same classloader and in the same runtime package, there can only be one class with the name of the member, and that is the member class. Hence resolution of the constant-pool entry serves no purpose but introduces the complexity of dealing with exceptions and avoiding Java code execution in compiler threads.
> 
> @iklam contributed to an earlier version of the fix, and devised the initial testcase approach.
> @coleenp also contributed to an earlier version of the fix. 
> 
> Thanks to both Coleen and Ioi for their insights, discussions and contributions. 
> 
> Testing:
> - the new test
> - tiers 1-3
> 
> Thanks,
> David

LGTM.  Thanks for fixing this.
Harold

-------------

Marked as reviewed by hseigel (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/3913


More information about the hotspot-runtime-dev mailing list