From ecee7fc84bf9c1975177717d19d39bff084479ee Mon Sep 17 00:00:00 2001 From: Zoltan Majo Date: Fri, 10 Feb 2017 08:16:49 +0100 Subject: [PATCH] 8173151: Code heap corruption due to incorrect inclusion test Change inclusion test to use CodeBlob::code_begin() for AOT methods and start of CodeBlob otherwise. Added regression test. Reviewed-by: thartmann, dlong, kvn --- hotspot/src/share/vm/aot/aotCodeHeap.hpp | 5 ++ hotspot/src/share/vm/code/codeCache.cpp | 2 +- hotspot/src/share/vm/code/codeCache.hpp | 5 +- hotspot/src/share/vm/memory/heap.cpp | 12 +++ hotspot/src/share/vm/memory/heap.hpp | 4 +- hotspot/src/share/vm/runtime/globals.hpp | 2 +- .../stress/ReturnBlobToWrongHeapTest.java | 89 +++++++++++++++++++ 7 files changed, 113 insertions(+), 6 deletions(-) create mode 100644 hotspot/test/compiler/codecache/stress/ReturnBlobToWrongHeapTest.java diff --git a/hotspot/src/share/vm/aot/aotCodeHeap.hpp b/hotspot/src/share/vm/aot/aotCodeHeap.hpp index 0e0d0038d10..5c803cc0903 100644 --- a/hotspot/src/share/vm/aot/aotCodeHeap.hpp +++ b/hotspot/src/share/vm/aot/aotCodeHeap.hpp @@ -240,6 +240,11 @@ public: assert(result == CodeHeap::contains(p), ""); return result; } + + bool contains_blob(const CodeBlob* blob) const { + return CodeHeap::contains(blob->code_begin()); + } + AOTCompiledMethod* find_aot(address p) const; virtual void* find_start(void* p) const; diff --git a/hotspot/src/share/vm/code/codeCache.cpp b/hotspot/src/share/vm/code/codeCache.cpp index e1a2f6392b0..549535b7aa0 100644 --- a/hotspot/src/share/vm/code/codeCache.cpp +++ b/hotspot/src/share/vm/code/codeCache.cpp @@ -417,7 +417,7 @@ void CodeCache::add_heap(ReservedSpace rs, const char* name, int code_blob_type) CodeHeap* CodeCache::get_code_heap(const CodeBlob* cb) { assert(cb != NULL, "CodeBlob is null"); FOR_ALL_HEAPS(heap) { - if ((*heap)->contains(cb->code_begin())) { + if ((*heap)->contains_blob(cb)) { return *heap; } } diff --git a/hotspot/src/share/vm/code/codeCache.hpp b/hotspot/src/share/vm/code/codeCache.hpp index 99209dc3c66..469ac0af329 100644 --- a/hotspot/src/share/vm/code/codeCache.hpp +++ b/hotspot/src/share/vm/code/codeCache.hpp @@ -304,11 +304,10 @@ template class CodeBlobIterator : public StackObj { // If set to NULL, initialized by first call to next() _code_blob = (CodeBlob*)nm; if (nm != NULL) { - address start = nm->code_begin(); - while(!(*_heap)->contains(start)) { + while(!(*_heap)->contains_blob(_code_blob)) { ++_heap; } - assert((*_heap)->contains(start), "match not found"); + assert((*_heap)->contains_blob(_code_blob), "match not found"); } } diff --git a/hotspot/src/share/vm/memory/heap.cpp b/hotspot/src/share/vm/memory/heap.cpp index 9d2179d5cf7..8db869ca8ce 100644 --- a/hotspot/src/share/vm/memory/heap.cpp +++ b/hotspot/src/share/vm/memory/heap.cpp @@ -190,6 +190,10 @@ void* CodeHeap::allocate(size_t instance_size) { if (block != NULL) { assert(block->length() >= number_of_segments && block->length() < number_of_segments + CodeCacheMinBlockLength, "sanity check"); assert(!block->free(), "must be marked free"); + guarantee((char*) block >= _memory.low_boundary() && (char*) block < _memory.high(), + "The newly allocated block " INTPTR_FORMAT " is not within the heap " + "starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT, + p2i(block), p2i(_memory.low_boundary()), p2i(_memory.high())); DEBUG_ONLY(memset((void*)block->allocated_space(), badCodeHeapNewVal, instance_size)); _max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity()); _blob_count++; @@ -204,6 +208,10 @@ void* CodeHeap::allocate(size_t instance_size) { HeapBlock* b = block_at(_next_segment); b->initialize(number_of_segments); _next_segment += number_of_segments; + guarantee((char*) b >= _memory.low_boundary() && (char*) block < _memory.high(), + "The newly allocated block " INTPTR_FORMAT " is not within the heap " + "starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT, + p2i(b), p2i(_memory.low_boundary()), p2i(_memory.high())); DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapNewVal, instance_size)); _max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity()); _blob_count++; @@ -219,6 +227,10 @@ void CodeHeap::deallocate(void* p) { // Find start of HeapBlock HeapBlock* b = (((HeapBlock *)p) - 1); assert(b->allocated_space() == p, "sanity check"); + guarantee((char*) b >= _memory.low_boundary() && (char*) b < _memory.high(), + "The block to be deallocated " INTPTR_FORMAT " is not within the heap " + "starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT, + p2i(b), p2i(_memory.low_boundary()), p2i(_memory.high())); DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapFreeVal, segments_to_size(b->length()) - sizeof(HeapBlock))); add_to_freelist(b); diff --git a/hotspot/src/share/vm/memory/heap.hpp b/hotspot/src/share/vm/memory/heap.hpp index d75559695e1..6fe3391d6f0 100644 --- a/hotspot/src/share/vm/memory/heap.hpp +++ b/hotspot/src/share/vm/memory/heap.hpp @@ -153,7 +153,9 @@ class CodeHeap : public CHeapObj { char* high() const { return _memory.high(); } char* high_boundary() const { return _memory.high_boundary(); } - virtual bool contains(const void* p) const { return low_boundary() <= p && p < high(); } + virtual bool contains(const void* p) const { return low_boundary() <= p && p < high(); } + virtual bool contains_blob(const CodeBlob* blob) const { return low_boundary() <= (char*) blob && (char*) blob < high(); } + virtual void* find_start(void* p) const; // returns the block containing p or NULL virtual CodeBlob* find_blob_unsafe(void* start) const; size_t alignment_unit() const; // alignment of any block diff --git a/hotspot/src/share/vm/runtime/globals.hpp b/hotspot/src/share/vm/runtime/globals.hpp index 5282a6b9e17..8209f62efc6 100644 --- a/hotspot/src/share/vm/runtime/globals.hpp +++ b/hotspot/src/share/vm/runtime/globals.hpp @@ -3374,7 +3374,7 @@ public: "Code cache expansion size (in bytes)") \ range(0, max_uintx) \ \ - develop_pd(uintx, CodeCacheMinBlockLength, \ + diagnostic_pd(uintx, CodeCacheMinBlockLength, \ "Minimum number of segments in a code cache block") \ range(1, 100) \ \ diff --git a/hotspot/test/compiler/codecache/stress/ReturnBlobToWrongHeapTest.java b/hotspot/test/compiler/codecache/stress/ReturnBlobToWrongHeapTest.java new file mode 100644 index 00000000000..52ccab6aff8 --- /dev/null +++ b/hotspot/test/compiler/codecache/stress/ReturnBlobToWrongHeapTest.java @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test ReturnBlobToWrongHeapTest + * @key stress + * @summary Test if VM attempts to return code blobs to an incorrect code heap or to outside of the code cache. + * @library /test/lib / + * @modules java.base/jdk.internal.misc + * java.management + * + * @build sun.hotspot.WhiteBox + * @run driver ClassFileInstaller sun.hotspot.WhiteBox + * sun.hotspot.WhiteBox$WhiteBoxPermission + * @run main/othervm -Xbootclasspath/a:. -XX:+UnlockDiagnosticVMOptions + * -XX:+WhiteBoxAPI + * -XX:CompileCommand=dontinline,compiler.codecache.stress.Helper$TestCase::method + * -XX:+SegmentedCodeCache + * -XX:ReservedCodeCacheSize=16M + * -XX:CodeCacheMinBlockLength=1 + * compiler.codecache.stress.ReturnBlobToWrongHeapTest + */ + +package compiler.codecache.stress; + +import sun.hotspot.code.BlobType; + +import java.util.ArrayList; + +public class ReturnBlobToWrongHeapTest { + private static final long largeBlobSize = Helper.WHITE_BOX.getUintxVMFlag("ReservedCodeCacheSize") >> 6; + private static final long codeCacheMinBlockLength = Helper.WHITE_BOX.getUintxVMFlag("CodeCacheMinBlockLength"); + private static final BlobType[] BLOB_TYPES = BlobType.getAvailable().toArray(new BlobType[0]); + + // Allocate blob in first code heap (the code heap with index 0). + private static long allocate(int size) { + return Helper.WHITE_BOX.allocateCodeBlob(size, BLOB_TYPES[0].id); + } + + // Free blob. + private static void free(long address) { + Helper.WHITE_BOX.freeCodeBlob(address); + } + + public static void main(String[] args) { + if (codeCacheMinBlockLength == 1) { + // Fill first code heap with large blobs until allocation fails. + long address; + while ((address = allocate((int)largeBlobSize)) != 0) { + } + + // Allocate segment-sized blocks in first code heap. + long lastSegmentSizedAddress = 0; // Address of the last segment-sized blob allocated + while ((address = allocate(0)) != 0) { + lastSegmentSizedAddress = address; + } + + if (lastSegmentSizedAddress == 0) { + throw new RuntimeException("Test failed: Not possible to allocate segment-sized blob"); + } + + // Remove last segment-sized block from the first code heap. + free(lastSegmentSizedAddress); + } else { + throw new RuntimeException("Test requires CodeCacheMinBlockLength==1; CodeCacheMinBlockLength is " + + codeCacheMinBlockLength); + } + } +}