-
Notifications
You must be signed in to change notification settings - Fork 6.1k
JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true #2995
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true #2995
Conversation
👋 Welcome back stuefe! A progress list of the required criteria for merging this PR into |
Webrevs
|
src/hotspot/share/memory/arena.hpp
Outdated
@@ -185,7 +185,9 @@ class Arena : public CHeapObj<mtNone> { | |||
// Fast delete in area. Common case is: NOP (except for storage reclaimed) | |||
bool Afree(void *ptr, size_t size) { | |||
#ifdef ASSERT | |||
if (ZapResourceArea) memset(ptr, badResourceValue, size); // zap freed memory | |||
if (ZapResourceArea && ptr != NULL) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pointer arithmetic on line 193 is UB if ptr is nullptr (though it's unlikely anyone checks), so either Afree has ptr != nullptr
as an (unstated) precondition or there are potentially more problems than the memset.
Thanks Kim. I changed the fix to fix the one caller I was sure about passing NULL, and assert in AFree instead. (update: looking at Node::destruct, I believe the coding was correct and there is no way this could have been called with NULL; so I reduce this patch to just the assert in AFree) I removed the Trivial mark. Before pushing I will put this through tests to check if it triggers. I believe even though the pointer arithmetic below was UB with NULL, the effect would have in general been benign (just refusing to free anything). |
@tstuefe This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 114 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Mailing list message from Kim Barrett on hotspot-runtime-dev:
(The skara bots don?t resend edited comments, so this is missing your update, quoted below.)
I looked at it too, and agree with your assessment.
I also agree the UB won?t be detected and the effect benign. Looks good. |
Thanks Kim. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
Thanks @coleenp and @kimbarrett . However, as I feared, with the assert alone I now see it firing both in our nightlies at SAP and in the GAs in compiler tests. Which is cool in a way since this is the first time SonarCloud reported anything demonstrably real.:) I'll take a look at the crashes and modify the patch. |
I changed the patch to provide the same semantics on passed old ptr == NULL as standard The culprit in this case - calling realloc with a NULL pointer - was aot, I considered fixing the caller, but I am used to the C-runtime semantics in free and realloc, and it looks like others are too; so this is the least surprising behavior for a realloc-like function. Also, this fixes the subtle bug where, when passing NULL to Arealloc, we would return "false" to indicate that we have a lossfull realloc. The only case I can see where the return value was actually used was in |
Coleen, Kim, are you fine with this latest version? Thanks! |
src/hotspot/share/memory/arena.cpp
Outdated
@@ -366,6 +366,10 @@ void* Arena::grow(size_t x, AllocFailType alloc_failmode) { | |||
// Reallocate storage in Arena. | |||
void *Arena::Arealloc(void* old_ptr, size_t old_size, size_t new_size, AllocFailType alloc_failmode) { | |||
if (new_size == 0) return NULL; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[pre-existing] Isn't this a leak? Probably just dropping old_ptr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is a leak, at least if we run with UseMallocOnly. I think this, and Amalloc, should behave consistently with os::malloc here, which is to return a small non-null allocation for size=0. Basically, if size==0 size=1.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
Thanks Coleen & Kim! /integrate |
@tstuefe Since your change was applied there have been 115 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit d2c137d. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Sonarcloud reports a possible NULL dereference when zapping the to-be-freed area in fast-path arena free. Possible call stack for this to happen starts in Node::destruct(PhaseValues* phase).
Progress
Issue
Reviewers
Download
To checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/2995/head:pull/2995
$ git checkout pull/2995
To update a local copy of the PR:
$ git checkout pull/2995
$ git pull https://git.openjdk.java.net/jdk pull/2995/head