RFR: [XS] 8215411: some GetByteArrayElements calls miss corresponding Release

Baesken, Matthias matthias.baesken at sap.com
Tue Dec 18 17:19:21 UTC 2018 

Hello, here  is an updated  webrev : 


http://cr.openjdk.java.net/~mbaesken/webrevs/8215411.1/

sawindbg.cpp  has been adjusted .
The exception cases mentioned  now also  call   env->ReleaseByteArrayElements  .

Best regards, Matthias

> -----Original Message-----
> From: David Holmes <david.holmes at oracle.com>
> Sent: Dienstag, 18. Dezember 2018 10:04
> To: Baesken, Matthias <matthias.baesken at sap.com>; 'hotspot-
> dev at openjdk.java.net' <hotspot-dev at openjdk.java.net>; serviceability-
> dev at openjdk.java.net; security-dev at openjdk.java.net; JC Beyler
> <jcbeyler at google.com>
> Subject: Re: RFR: [XS] 8215411: some GetByteArrayElements calls miss
> corresponding Release
> 
> Hi Matthias,
> 
> On 18/12/2018 6:52 pm, Baesken, Matthias wrote:
> > Hi JC  / David,  thanks for the input .
> >
> > I'm not really sure what you want me to change David,  am I right  that I can
> keep   the changes to
> >
> > src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
> > src/jdk.attach/windows/native/libattach/VirtualMachineImpl.c
> 
> Yes.
> 
> > but  adjust
> >
> > src/jdk.hotspot.agent/windows/native/libsaproc/sawindbg.cpp
> >
> > to also handle theis potential early return
> >
> > 723   IDebugDataSpaces* ptrIDebugDataSpaces = (IDebugDataSpaces*)
> env->GetLongField(obj,
> >   724                                                        ptrIDebugDataSpaces_ID);
> >   725   CHECK_EXCEPTION_(0);
> >
> > ?
> 
> And I think:
> 
>   730      THROW_NEW_DEBUGGER_EXCEPTION_("Windbg Error: ReadVirtual
> failed!", 0);
> 
> as I assume that won't actually return normally.
> 
> >>> Also you change seem wrong to me because it will commit the changes
> in
> >>> the buffer even if we "abort" here:
> >>>
> >>> 735   if (bytesRead != numBytes) {
> >>>    736      return 0;
> >>>    737   }
> >>>
> >
> > The spec says :
> >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/function
> s.html
> >
> >> Release<PrimitiveType>ArrayElements Routines
> >> void Release<PrimitiveType>ArrayElements(JNIEnv *env, ArrayType
> array, NativeType *elems, jint mode);
> >>
> >> A family of functions that informs the VM that the native code no longer
> needs access to elems. The elems argument is a pointer derived from array
> using the corresponding
> >> Get<PrimitiveType>ArrayElements() function. If necessary, this function
> copies back all changes made to elems to the original array.
> >
> > So  shouldn't  I tell the VM , that  the native  code no longer needs access to
> bytePtr  before  returning here
> >
> > 735   if (bytesRead != numBytes) {
> > 736      return 0;
> >   737   }
> >
> > ?
> 
> There are two aspects to release:
>   1. the actual release (or "I don't need this any more")
>   2. committing any changes made back to the original array
> 
> This code does:
> 
> 728   if (ptrIDebugDataSpaces->ReadVirtual((ULONG64) address, (PVOID)
> bytePtr,
>   729                                   (ULONG)numBytes, &bytesRead) !=
> S_OK) {
> 
> which writes into the array. It then checks if we wrote what we expected:
> 
>   735   if (bytesRead != numBytes) {
>   736      return 0;
>   737   }
> 
> If we didn't read what was expected what should happen to the original
> array? Should it be left untouched or updated with the unexpected input?
> I would say left untouched and that is what the original code did.
> 
> If everything succeeds you should do the release with mode 0; but if
> taking an error exit the release should use mode JNI_ABORT so no changes
> are written back.
> 
> Cheers,
> David
> 
> > Best regards, Matthias
> >
> >
> >> -----Original Message-----
> >> From: David Holmes <david.holmes at oracle.com>
> >> Sent: Dienstag, 18. Dezember 2018 01:20
> >> To: Baesken, Matthias <matthias.baesken at sap.com>; 'hotspot-
> >> dev at openjdk.java.net' <hotspot-dev at openjdk.java.net>; serviceability-
> >> dev at openjdk.java.net; security-dev at openjdk.java.net
> >> Subject: Re: RFR: [XS] 8215411: some GetByteArrayElements calls miss
> >> corresponding Release
> >>
> >> Correction ...
> >>
> >> On 18/12/2018 8:25 am, David Holmes wrote:
> >>> Hi Matthias,
> >>>
> >>> On 17/12/2018 6:59 pm, Baesken, Matthias wrote:
> >>>> Hello, please review the following change.
> >>>> I noticed that we miss at some places (for example in case of early
> >>>> returns)
> >>>> where GetByteArrayElements is used,  the corresponding
> >>>> ReleaseByteArrayElements  call.
> >>>>
> >>>> In VirtualMachineImpl.c  I also removed a check for isCopy (is the
> >>>> returned byte array a copy ?)
> >>>> because from what I read at
> >>>>
> >>>>
> >>
> https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/function
> >> s.html
> >>>>
> >>>>
> >>>> the ReleaseByteArrayElements  routine should always be called.
> >>>
> >>> That's not clear to me. My reading is that you only need to release if
> >>> you have changes you need to ensure are written back and that is only
> >>> needed if a copy was made.
> >>
> >> Jc pointed out to me that if a copy is made you may need to release to
> >> avoid a memory leak. But that is where the mode flags come in - and
> >> again only relevant if a copy was made.
> >>
> >> But as per:
> >>
> >> https://developer.android.com/training/articles/perf-jni
> >>
> >> if a copy is not made and pinning is used (as with the "critical"
> >> variants) then you also need to release to un-pin.
> >>
> >> So code should call release, with an appropriate mode, based on whether
> >> isCopy was true**, and whether changed data should be written back.
> >>
> >> ** mode is ignored if not working on a copy so you can just set it
> >> assuming a copy was made.
> >>
> >> Note that the hotspot implementation always makes a copy for
> >> GextXXXArrayElements, and the ReleaseXXXArrayElements knows this
> and
> >> so
> >> will always free the buffer that is passed in (other than for mode
> >> JNI_COMMIT of course).
> >>
> >> Cheers,
> >> David
> >> -----
> >>
> >>> That said, the change seem semantically correct and harmless in this
> case.
> >>> ---
> >>>
> >>> src/jdk.hotspot.agent/windows/native/libsaproc/sawindbg.cpp
> >>>
> >>> AFAICS there are still multiple exit paths via CHECK_EXCEPTION_(0) and
> >>> THROW_NEW_DEBUGGER_EXCEPTION_ that won't release the buffer.
> >>>
> >>> Also you change seem wrong to me because it will commit the changes
> in
> >>> the buffer even if we "abort" here:
> >>>
> >>> 735   if (bytesRead != numBytes) {
> >>>    736      return 0;
> >>>    737   }
> >>>
> >>> so it seems to me if you really want to release on all paths then the
> >>> error paths should use a mode of JNI_ABORT and only the success path
> >>> should use mode 0.
> >>>
> >>> ---
> >>>
> >>>    src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m
> >>>
> >>> This change seems okay, though again potentially not necessary - as we
> >>> never commit any changes.
> >>>
> >>> Thanks,
> >>> David
> >>> -----
> >>>
> >>>>
> >>>> bug/webrev :
> >>>>
> >>>> https://bugs.openjdk.java.net/browse/JDK-8215411
> >>>>
> >>>> http://cr.openjdk.java.net/~mbaesken/webrevs/8215411.0/
> >>>>
> >>>>
> >>>> Thanks, Matthias
> >>>>

More information about the security-dev mailing list