8173151: Code heap corruption due to incorrect inclusion test

Change inclusion test to use CodeBlob::code_begin() for AOT methods and start of CodeBlob otherwise. Added regression test.

Reviewed-by: thartmann, dlong, kvn
This commit is contained in:
Zoltan Majo 2017-02-10 08:16:49 +01:00
parent 7b93ee904b
commit ecee7fc84b
7 changed files with 113 additions and 6 deletions

View File

@ -240,6 +240,11 @@ public:
assert(result == CodeHeap::contains(p), ""); assert(result == CodeHeap::contains(p), "");
return result; return result;
} }
bool contains_blob(const CodeBlob* blob) const {
return CodeHeap::contains(blob->code_begin());
}
AOTCompiledMethod* find_aot(address p) const; AOTCompiledMethod* find_aot(address p) const;
virtual void* find_start(void* p) const; virtual void* find_start(void* p) const;

View File

@ -417,7 +417,7 @@ void CodeCache::add_heap(ReservedSpace rs, const char* name, int code_blob_type)
CodeHeap* CodeCache::get_code_heap(const CodeBlob* cb) { CodeHeap* CodeCache::get_code_heap(const CodeBlob* cb) {
assert(cb != NULL, "CodeBlob is null"); assert(cb != NULL, "CodeBlob is null");
FOR_ALL_HEAPS(heap) { FOR_ALL_HEAPS(heap) {
if ((*heap)->contains(cb->code_begin())) { if ((*heap)->contains_blob(cb)) {
return *heap; return *heap;
} }
} }

View File

@ -304,11 +304,10 @@ template <class T, class Filter> class CodeBlobIterator : public StackObj {
// If set to NULL, initialized by first call to next() // If set to NULL, initialized by first call to next()
_code_blob = (CodeBlob*)nm; _code_blob = (CodeBlob*)nm;
if (nm != NULL) { if (nm != NULL) {
address start = nm->code_begin(); while(!(*_heap)->contains_blob(_code_blob)) {
while(!(*_heap)->contains(start)) {
++_heap; ++_heap;
} }
assert((*_heap)->contains(start), "match not found"); assert((*_heap)->contains_blob(_code_blob), "match not found");
} }
} }

View File

@ -190,6 +190,10 @@ void* CodeHeap::allocate(size_t instance_size) {
if (block != NULL) { if (block != NULL) {
assert(block->length() >= number_of_segments && block->length() < number_of_segments + CodeCacheMinBlockLength, "sanity check"); assert(block->length() >= number_of_segments && block->length() < number_of_segments + CodeCacheMinBlockLength, "sanity check");
assert(!block->free(), "must be marked free"); assert(!block->free(), "must be marked free");
guarantee((char*) block >= _memory.low_boundary() && (char*) block < _memory.high(),
"The newly allocated block " INTPTR_FORMAT " is not within the heap "
"starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT,
p2i(block), p2i(_memory.low_boundary()), p2i(_memory.high()));
DEBUG_ONLY(memset((void*)block->allocated_space(), badCodeHeapNewVal, instance_size)); DEBUG_ONLY(memset((void*)block->allocated_space(), badCodeHeapNewVal, instance_size));
_max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity()); _max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity());
_blob_count++; _blob_count++;
@ -204,6 +208,10 @@ void* CodeHeap::allocate(size_t instance_size) {
HeapBlock* b = block_at(_next_segment); HeapBlock* b = block_at(_next_segment);
b->initialize(number_of_segments); b->initialize(number_of_segments);
_next_segment += number_of_segments; _next_segment += number_of_segments;
guarantee((char*) b >= _memory.low_boundary() && (char*) block < _memory.high(),
"The newly allocated block " INTPTR_FORMAT " is not within the heap "
"starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT,
p2i(b), p2i(_memory.low_boundary()), p2i(_memory.high()));
DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapNewVal, instance_size)); DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapNewVal, instance_size));
_max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity()); _max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity());
_blob_count++; _blob_count++;
@ -219,6 +227,10 @@ void CodeHeap::deallocate(void* p) {
// Find start of HeapBlock // Find start of HeapBlock
HeapBlock* b = (((HeapBlock *)p) - 1); HeapBlock* b = (((HeapBlock *)p) - 1);
assert(b->allocated_space() == p, "sanity check"); assert(b->allocated_space() == p, "sanity check");
guarantee((char*) b >= _memory.low_boundary() && (char*) b < _memory.high(),
"The block to be deallocated " INTPTR_FORMAT " is not within the heap "
"starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT,
p2i(b), p2i(_memory.low_boundary()), p2i(_memory.high()));
DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapFreeVal, DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapFreeVal,
segments_to_size(b->length()) - sizeof(HeapBlock))); segments_to_size(b->length()) - sizeof(HeapBlock)));
add_to_freelist(b); add_to_freelist(b);

View File

@ -154,6 +154,8 @@ class CodeHeap : public CHeapObj<mtCode> {
char* high_boundary() const { return _memory.high_boundary(); } char* high_boundary() const { return _memory.high_boundary(); }
virtual bool contains(const void* p) const { return low_boundary() <= p && p < high(); } virtual bool contains(const void* p) const { return low_boundary() <= p && p < high(); }
virtual bool contains_blob(const CodeBlob* blob) const { return low_boundary() <= (char*) blob && (char*) blob < high(); }
virtual void* find_start(void* p) const; // returns the block containing p or NULL virtual void* find_start(void* p) const; // returns the block containing p or NULL
virtual CodeBlob* find_blob_unsafe(void* start) const; virtual CodeBlob* find_blob_unsafe(void* start) const;
size_t alignment_unit() const; // alignment of any block size_t alignment_unit() const; // alignment of any block

View File

@ -3374,7 +3374,7 @@ public:
"Code cache expansion size (in bytes)") \ "Code cache expansion size (in bytes)") \
range(0, max_uintx) \ range(0, max_uintx) \
\ \
develop_pd(uintx, CodeCacheMinBlockLength, \ diagnostic_pd(uintx, CodeCacheMinBlockLength, \
"Minimum number of segments in a code cache block") \ "Minimum number of segments in a code cache block") \
range(1, 100) \ range(1, 100) \
\ \

View File

@ -0,0 +1,89 @@
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test ReturnBlobToWrongHeapTest
* @key stress
* @summary Test if VM attempts to return code blobs to an incorrect code heap or to outside of the code cache.
* @library /test/lib /
* @modules java.base/jdk.internal.misc
* java.management
*
* @build sun.hotspot.WhiteBox
* @run driver ClassFileInstaller sun.hotspot.WhiteBox
* sun.hotspot.WhiteBox$WhiteBoxPermission
* @run main/othervm -Xbootclasspath/a:. -XX:+UnlockDiagnosticVMOptions
* -XX:+WhiteBoxAPI
* -XX:CompileCommand=dontinline,compiler.codecache.stress.Helper$TestCase::method
* -XX:+SegmentedCodeCache
* -XX:ReservedCodeCacheSize=16M
* -XX:CodeCacheMinBlockLength=1
* compiler.codecache.stress.ReturnBlobToWrongHeapTest
*/
package compiler.codecache.stress;
import sun.hotspot.code.BlobType;
import java.util.ArrayList;
public class ReturnBlobToWrongHeapTest {
private static final long largeBlobSize = Helper.WHITE_BOX.getUintxVMFlag("ReservedCodeCacheSize") >> 6;
private static final long codeCacheMinBlockLength = Helper.WHITE_BOX.getUintxVMFlag("CodeCacheMinBlockLength");
private static final BlobType[] BLOB_TYPES = BlobType.getAvailable().toArray(new BlobType[0]);
// Allocate blob in first code heap (the code heap with index 0).
private static long allocate(int size) {
return Helper.WHITE_BOX.allocateCodeBlob(size, BLOB_TYPES[0].id);
}
// Free blob.
private static void free(long address) {
Helper.WHITE_BOX.freeCodeBlob(address);
}
public static void main(String[] args) {
if (codeCacheMinBlockLength == 1) {
// Fill first code heap with large blobs until allocation fails.
long address;
while ((address = allocate((int)largeBlobSize)) != 0) {
}
// Allocate segment-sized blocks in first code heap.
long lastSegmentSizedAddress = 0; // Address of the last segment-sized blob allocated
while ((address = allocate(0)) != 0) {
lastSegmentSizedAddress = address;
}
if (lastSegmentSizedAddress == 0) {
throw new RuntimeException("Test failed: Not possible to allocate segment-sized blob");
}
// Remove last segment-sized block from the first code heap.
free(lastSegmentSizedAddress);
} else {
throw new RuntimeException("Test requires CodeCacheMinBlockLength==1; CodeCacheMinBlockLength is " +
codeCacheMinBlockLength);
}
}
}