8173151: Code heap corruption due to incorrect inclusion test
Summary: Change inclusion test to use CodeBlob::code_begin() for AOT methods and start of CodeBlob otherwise. Added regression test.
Reviewed-by: thartmann, dlong, kvn
--- a/hotspot/src/share/vm/aot/aotCodeHeap.hpp Thu Feb 09 19:08:32 2017 -0800
+++ b/hotspot/src/share/vm/aot/aotCodeHeap.hpp Fri Feb 10 08:16:49 2017 +0100
@@ -240,6 +240,11 @@
assert(result == CodeHeap::contains(p), "");
return result;
}
+
+ bool contains_blob(const CodeBlob* blob) const {
+ return CodeHeap::contains(blob->code_begin());
+ }
+
AOTCompiledMethod* find_aot(address p) const;
virtual void* find_start(void* p) const;
--- a/hotspot/src/share/vm/code/codeCache.cpp Thu Feb 09 19:08:32 2017 -0800
+++ b/hotspot/src/share/vm/code/codeCache.cpp Fri Feb 10 08:16:49 2017 +0100
@@ -417,7 +417,7 @@
CodeHeap* CodeCache::get_code_heap(const CodeBlob* cb) {
assert(cb != NULL, "CodeBlob is null");
FOR_ALL_HEAPS(heap) {
- if ((*heap)->contains(cb->code_begin())) {
+ if ((*heap)->contains_blob(cb)) {
return *heap;
}
}
--- a/hotspot/src/share/vm/code/codeCache.hpp Thu Feb 09 19:08:32 2017 -0800
+++ b/hotspot/src/share/vm/code/codeCache.hpp Fri Feb 10 08:16:49 2017 +0100
@@ -304,11 +304,10 @@
// If set to NULL, initialized by first call to next()
_code_blob = (CodeBlob*)nm;
if (nm != NULL) {
- address start = nm->code_begin();
- while(!(*_heap)->contains(start)) {
+ while(!(*_heap)->contains_blob(_code_blob)) {
++_heap;
}
- assert((*_heap)->contains(start), "match not found");
+ assert((*_heap)->contains_blob(_code_blob), "match not found");
}
}
--- a/hotspot/src/share/vm/memory/heap.cpp Thu Feb 09 19:08:32 2017 -0800
+++ b/hotspot/src/share/vm/memory/heap.cpp Fri Feb 10 08:16:49 2017 +0100
@@ -190,6 +190,10 @@
if (block != NULL) {
assert(block->length() >= number_of_segments && block->length() < number_of_segments + CodeCacheMinBlockLength, "sanity check");
assert(!block->free(), "must be marked free");
+ guarantee((char*) block >= _memory.low_boundary() && (char*) block < _memory.high(),
+ "The newly allocated block " INTPTR_FORMAT " is not within the heap "
+ "starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT,
+ p2i(block), p2i(_memory.low_boundary()), p2i(_memory.high()));
DEBUG_ONLY(memset((void*)block->allocated_space(), badCodeHeapNewVal, instance_size));
_max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity());
_blob_count++;
@@ -204,6 +208,10 @@
HeapBlock* b = block_at(_next_segment);
b->initialize(number_of_segments);
_next_segment += number_of_segments;
+ guarantee((char*) b >= _memory.low_boundary() && (char*) block < _memory.high(),
+ "The newly allocated block " INTPTR_FORMAT " is not within the heap "
+ "starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT,
+ p2i(b), p2i(_memory.low_boundary()), p2i(_memory.high()));
DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapNewVal, instance_size));
_max_allocated_capacity = MAX2(_max_allocated_capacity, allocated_capacity());
_blob_count++;
@@ -219,6 +227,10 @@
// Find start of HeapBlock
HeapBlock* b = (((HeapBlock *)p) - 1);
assert(b->allocated_space() == p, "sanity check");
+ guarantee((char*) b >= _memory.low_boundary() && (char*) b < _memory.high(),
+ "The block to be deallocated " INTPTR_FORMAT " is not within the heap "
+ "starting with " INTPTR_FORMAT " and ending with " INTPTR_FORMAT,
+ p2i(b), p2i(_memory.low_boundary()), p2i(_memory.high()));
DEBUG_ONLY(memset((void *)b->allocated_space(), badCodeHeapFreeVal,
segments_to_size(b->length()) - sizeof(HeapBlock)));
add_to_freelist(b);
--- a/hotspot/src/share/vm/memory/heap.hpp Thu Feb 09 19:08:32 2017 -0800
+++ b/hotspot/src/share/vm/memory/heap.hpp Fri Feb 10 08:16:49 2017 +0100
@@ -153,7 +153,9 @@
char* high() const { return _memory.high(); }
char* high_boundary() const { return _memory.high_boundary(); }
- virtual bool contains(const void* p) const { return low_boundary() <= p && p < high(); }
+ virtual bool contains(const void* p) const { return low_boundary() <= p && p < high(); }
+ virtual bool contains_blob(const CodeBlob* blob) const { return low_boundary() <= (char*) blob && (char*) blob < high(); }
+
virtual void* find_start(void* p) const; // returns the block containing p or NULL
virtual CodeBlob* find_blob_unsafe(void* start) const;
size_t alignment_unit() const; // alignment of any block
--- a/hotspot/src/share/vm/runtime/globals.hpp Thu Feb 09 19:08:32 2017 -0800
+++ b/hotspot/src/share/vm/runtime/globals.hpp Fri Feb 10 08:16:49 2017 +0100
@@ -3374,7 +3374,7 @@
"Code cache expansion size (in bytes)") \
range(0, max_uintx) \
\
- develop_pd(uintx, CodeCacheMinBlockLength, \
+ diagnostic_pd(uintx, CodeCacheMinBlockLength, \
"Minimum number of segments in a code cache block") \
range(1, 100) \
\
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hotspot/test/compiler/codecache/stress/ReturnBlobToWrongHeapTest.java Fri Feb 10 08:16:49 2017 +0100
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test ReturnBlobToWrongHeapTest
+ * @key stress
+ * @summary Test if VM attempts to return code blobs to an incorrect code heap or to outside of the code cache.
+ * @library /test/lib /
+ * @modules java.base/jdk.internal.misc
+ * java.management
+ *
+ * @build sun.hotspot.WhiteBox
+ * @run driver ClassFileInstaller sun.hotspot.WhiteBox
+ * sun.hotspot.WhiteBox$WhiteBoxPermission
+ * @run main/othervm -Xbootclasspath/a:. -XX:+UnlockDiagnosticVMOptions
+ * -XX:+WhiteBoxAPI
+ * -XX:CompileCommand=dontinline,compiler.codecache.stress.Helper$TestCase::method
+ * -XX:+SegmentedCodeCache
+ * -XX:ReservedCodeCacheSize=16M
+ * -XX:CodeCacheMinBlockLength=1
+ * compiler.codecache.stress.ReturnBlobToWrongHeapTest
+ */
+
+package compiler.codecache.stress;
+
+import sun.hotspot.code.BlobType;
+
+import java.util.ArrayList;
+
+public class ReturnBlobToWrongHeapTest {
+ private static final long largeBlobSize = Helper.WHITE_BOX.getUintxVMFlag("ReservedCodeCacheSize") >> 6;
+ private static final long codeCacheMinBlockLength = Helper.WHITE_BOX.getUintxVMFlag("CodeCacheMinBlockLength");
+ private static final BlobType[] BLOB_TYPES = BlobType.getAvailable().toArray(new BlobType[0]);
+
+ // Allocate blob in first code heap (the code heap with index 0).
+ private static long allocate(int size) {
+ return Helper.WHITE_BOX.allocateCodeBlob(size, BLOB_TYPES[0].id);
+ }
+
+ // Free blob.
+ private static void free(long address) {
+ Helper.WHITE_BOX.freeCodeBlob(address);
+ }
+
+ public static void main(String[] args) {
+ if (codeCacheMinBlockLength == 1) {
+ // Fill first code heap with large blobs until allocation fails.
+ long address;
+ while ((address = allocate((int)largeBlobSize)) != 0) {
+ }
+
+ // Allocate segment-sized blocks in first code heap.
+ long lastSegmentSizedAddress = 0; // Address of the last segment-sized blob allocated
+ while ((address = allocate(0)) != 0) {
+ lastSegmentSizedAddress = address;
+ }
+
+ if (lastSegmentSizedAddress == 0) {
+ throw new RuntimeException("Test failed: Not possible to allocate segment-sized blob");
+ }
+
+ // Remove last segment-sized block from the first code heap.
+ free(lastSegmentSizedAddress);
+ } else {
+ throw new RuntimeException("Test requires CodeCacheMinBlockLength==1; CodeCacheMinBlockLength is " +
+ codeCacheMinBlockLength);
+ }
+ }
+}