Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8315074: Possible null pointer access in native glass #1223

Closed
wants to merge 2 commits into from

Conversation

jayathirthrao
Copy link
Member

@jayathirthrao jayathirthrao commented Aug 28, 2023

At multiple places in native glass code we don't have appropriate NULL checks which might result in null pointer access.

Added appropriate checks and all test run is green.


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed (2 reviews required, with at least 1 Reviewer, 1 Author)

Issue

  • JDK-8315074: Possible null pointer access in native glass (Bug - P3)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jfx.git pull/1223/head:pull/1223
$ git checkout pull/1223

Update a local copy of the PR:
$ git checkout pull/1223
$ git pull https://git.openjdk.org/jfx.git pull/1223/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 1223

View PR using the GUI difftool:
$ git pr show -t 1223

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jfx/pull/1223.diff

Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Aug 28, 2023

👋 Welcome back jdv! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr Ready for review label Aug 28, 2023
@mlbridge
Copy link

mlbridge bot commented Aug 28, 2023

Webrevs

@kevinrushforth
Copy link
Member

/reviewers 2

@openjdk
Copy link

openjdk bot commented Aug 28, 2023

@kevinrushforth
The total number of required reviews for this PR (including the jcheck configuration and the last /reviewers command) is now set to 2 (with at least 1 Reviewer, 1 Author).

gdk_threads_add_idle_full(G_PRIORITY_HIGH_IDLE + 30, call_runnable, context, NULL);
// we release this context in call_runnable
} else {
fprintf(stderr, "malloc failed in GtkApplication__1submitForLaterInvocatio\n");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the malloc above failed, I would think there might be very serious errors hence maybe this should be propagated to the Java layer, or throw the relevant memory exception?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good question. Since this is a void method (thus there is no way to signal an error), the ideal thing would be to throw an OutOfMemoryError before returning, but if a malloc of this small size were to fail, we might not even be able to create the OOME. Not sure it's worth it in this case. What do you think?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree a crash due to a null pointer is not desired, as that gives very little info to the developer.
If that malloc fails, it is an indication that there is a major chance that we are in serious trouble. In that case, simply printing something (which could fail as well if there is that limited memory) and not informing the caller will most likely just postpone the crash.
Unless we can free some memory immediately, I think it might be good if we can try to exit gracefully. The drawback of this is that if there is a trivial way to free memory and the native code was just about to invoke free() on a big memory chunk, we are exiting without a good reason (although I think this scenario is unlikely).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is to avoid the crash entirely. If we actually hit this case, it is very likely that other calls will also run out of memory. Returning to Java as quickly as possible will let any pending OOME be thrown. A library should not exit, so really we have two choices here:

  1. Throw OOM and then return
  2. Just return

While option 1 might be the better choice, it would be a more intrusive fix. Most of the native code just returns to Java, although we do have a few places where we throw. OOME. It might be better to keep this fix simple (and more in line with what other functions in glass do), and address this with a follow-up issue?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not against that, especially since it's in line with what we do in other functions in glass.
However, I am worried about the consequences. In case we just return, the caller has no idea that there is a major problem. A Runnable is supplied to e.g. _invokeAndWait, but it will never get executed while the caller (and the application logic) assumes it is scheduled. This can have serious consequences and unexpected behavior in the application.
But maybe I'm missing something and it is less severe than I'm picturing it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see what you are saying, but worth noting in this specific case is that if the malloc of RunnableContext (a 12-byte struct) fails, we're not going to be able to allocate an OOME anyway.

My preference would be to leave this fix as is, and file a follow-up issue to change the return type of GtkApplication::submitForLaterInvocation (and the equivalent methods in the other glass pipelines) to boolean so we can return an error code and throw an exception (which would very likely provoke an OOME, but in any case would never silently fail).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I filed the following two follow-on umbrella tasks:

JDK-8316020: ☂ Check memory allocation for null return value (P3)
JDK-8316022: ☂ Memory allocation failure should throw OOME (P4)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first of these already has two linked blocking bugs (this one, and the previously integrated JDK-8313900 / PR #1204)

Copy link
Collaborator

@johanvos johanvos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the ios changes are fine.
In general, I'm still worried about the consequences of silently ignoring a fatal error (although there is a printf, but that doesn't propagate to the caller), but this can indeed be fixed in a follow-up issue.

@kevinrushforth kevinrushforth requested review from kevinrushforth and removed request for arapte September 11, 2023 13:27
Copy link
Member

@kevinrushforth kevinrushforth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@kevinrushforth
Copy link
Member

@johanvos Can you re-review?

@openjdk
Copy link

openjdk bot commented Sep 11, 2023

@jayathirthrao This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8315074: Possible null pointer access in native glass

Reviewed-by: jvos, kcr

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 13 new commits pushed to the master branch:

  • 7c8dd1e: 8315958: Missing range checks in GlassPasteboard
  • 624fe86: 8313651: Add 'final' keyword to public property methods in controls
  • 325be56: 8310666: gradle validateSourceSets task not run when TEST_ONLY=true
  • eb7de72: 8315317: Add test for JDK-8262518
  • ed92171: 8315870: icu fails to compile with Visual Studio 2022 17.6.5
  • 8fcd6e5: 8308608: [testbug] Use Util::waitForIdle instead of Toolkit::firePulse in system tests
  • 3bfede8: 8314779: [testbug] Add test to all the XYCharts to check if chart components are removed when series is cleared
  • 668e4b9: 8315728: [testbug] SystemMenuBarTest prints "FAILED IS: false"
  • e8491ba: 8283675: Line not removed from LineChart when series cleared
  • 84aad81: 8314064: Enable building JavaFX on native Windows AArch64 (ARM64)
  • ... and 3 more: https://git.openjdk.org/jfx/compare/be2c7aea20c7752f069e526d2c3f9bea11bc1634...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@johanvos, @kevinrushforth) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

@openjdk openjdk bot added the ready Ready to be integrated label Sep 11, 2023
@jayathirthrao
Copy link
Member Author

/integrate

@openjdk openjdk bot added the sponsor Ready to sponsor label Sep 13, 2023
@openjdk
Copy link

openjdk bot commented Sep 13, 2023

@jayathirthrao
Your change (at version 68e3b19) is now ready to be sponsored by a Committer.

@kevinrushforth
Copy link
Member

/sponsor

@openjdk
Copy link

openjdk bot commented Sep 13, 2023

Going to push as commit f7b21e5.
Since your change was applied there have been 13 commits pushed to the master branch:

  • 7c8dd1e: 8315958: Missing range checks in GlassPasteboard
  • 624fe86: 8313651: Add 'final' keyword to public property methods in controls
  • 325be56: 8310666: gradle validateSourceSets task not run when TEST_ONLY=true
  • eb7de72: 8315317: Add test for JDK-8262518
  • ed92171: 8315870: icu fails to compile with Visual Studio 2022 17.6.5
  • 8fcd6e5: 8308608: [testbug] Use Util::waitForIdle instead of Toolkit::firePulse in system tests
  • 3bfede8: 8314779: [testbug] Add test to all the XYCharts to check if chart components are removed when series is cleared
  • 668e4b9: 8315728: [testbug] SystemMenuBarTest prints "FAILED IS: false"
  • e8491ba: 8283675: Line not removed from LineChart when series cleared
  • 84aad81: 8314064: Enable building JavaFX on native Windows AArch64 (ARM64)
  • ... and 3 more: https://git.openjdk.org/jfx/compare/be2c7aea20c7752f069e526d2c3f9bea11bc1634...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Sep 13, 2023
@openjdk openjdk bot closed this Sep 13, 2023
@openjdk openjdk bot removed ready Ready to be integrated rfr Ready for review sponsor Ready to sponsor labels Sep 13, 2023
@openjdk
Copy link

openjdk bot commented Sep 13, 2023

@kevinrushforth @jayathirthrao Pushed as commit f7b21e5.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated
4 participants