JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true #2995
Conversation
|
|
Webrevs
|
src/hotspot/share/memory/arena.hpp
Outdated
| @@ -185,7 +185,9 @@ class Arena : public CHeapObj<mtNone> { | |||
| // Fast delete in area. Common case is: NOP (except for storage reclaimed) | |||
| bool Afree(void *ptr, size_t size) { | |||
| #ifdef ASSERT | |||
| if (ZapResourceArea) memset(ptr, badResourceValue, size); // zap freed memory | |||
| if (ZapResourceArea && ptr != NULL) { | |||
There was a problem hiding this comment.
The pointer arithmetic on line 193 is UB if ptr is nullptr (though it's unlikely anyone checks), so either Afree has ptr != nullptr as an (unstated) precondition or there are potentially more problems than the memset.
|
Thanks Kim. I changed the fix to fix the one caller I was sure about passing NULL, and assert in AFree instead. (update: looking at Node::destruct, I believe the coding was correct and there is no way this could have been called with NULL; so I reduce this patch to just the assert in AFree) I removed the Trivial mark. Before pushing I will put this through tests to check if it triggers. I believe even though the pointer arithmetic below was UB with NULL, the effect would have in general been benign (just refusing to free anything). |
|
@tstuefe This change now passes all automated pre-integration checks. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 114 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.
|
|
Mailing list message from Kim Barrett on hotspot-runtime-dev:
(The skara bots don?t resend edited comments, so this is missing your update, quoted below.)
I looked at it too, and agree with your assessment.
I also agree the UB won?t be detected and the effect benign. Looks good. |
Thanks Kim. |
|
Thanks @coleenp and @kimbarrett . However, as I feared, with the assert alone I now see it firing both in our nightlies at SAP and in the GAs in compiler tests. Which is cool in a way since this is the first time SonarCloud reported anything demonstrably real.:) I'll take a look at the crashes and modify the patch. |
|
I changed the patch to provide the same semantics on passed old ptr == NULL as standard The culprit in this case - calling realloc with a NULL pointer - was aot, I considered fixing the caller, but I am used to the C-runtime semantics in free and realloc, and it looks like others are too; so this is the least surprising behavior for a realloc-like function. Also, this fixes the subtle bug where, when passing NULL to Arealloc, we would return "false" to indicate that we have a lossfull realloc. The only case I can see where the return value was actually used was in |
|
Coleen, Kim, are you fine with this latest version? Thanks! |
src/hotspot/share/memory/arena.cpp
Outdated
| @@ -366,6 +366,10 @@ void* Arena::grow(size_t x, AllocFailType alloc_failmode) { | |||
| // Reallocate storage in Arena. | |||
| void *Arena::Arealloc(void* old_ptr, size_t old_size, size_t new_size, AllocFailType alloc_failmode) { | |||
| if (new_size == 0) return NULL; | |||
There was a problem hiding this comment.
[pre-existing] Isn't this a leak? Probably just dropping old_ptr.
There was a problem hiding this comment.
Yes, it is a leak, at least if we run with UseMallocOnly. I think this, and Amalloc, should behave consistently with os::malloc here, which is to return a small non-null allocation for size=0. Basically, if size==0 size=1.
|
Thanks Coleen & Kim! /integrate |
|
@tstuefe Since your change was applied there have been 115 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit d2c137d. |
Sonarcloud reports a possible NULL dereference when zapping the to-be-freed area in fast-path arena free. Possible call stack for this to happen starts in Node::destruct(PhaseValues* phase).
Progress
Issue
Reviewers
Download
To checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/2995/head:pull/2995$ git checkout pull/2995To update a local copy of the PR:
$ git checkout pull/2995$ git pull https://git.openjdk.java.net/jdk pull/2995/headThe text was updated successfully, but these errors were encountered: