8369506: Bytecode rewriting causes Java heap corruption on AArch64

[jcking]

Fix JDK-8369506 by adding STLR when updating the bytecode. Additionally I added a quick debug only check which verifies the field offset we get from ResolvedFieldEntry in TemplateTable::fast_* will not clobber the header or Klass pointer. The added STLR, a long with the already existing DMB ISHLD in InterpreterMacroAssembler::load_field_entry, guarantees that the fully filled out ResolvedFieldEntry is observable if the patched bytecode is observable. We do not need to add LDAR for bytecode loading or LDAR in TemplateTable::fast_* for that reason. If another observer happens to observe a 0 field offset, its guaranteed then that they will also observe the non-patched bytecode which will ultimately end up doing the resolution again, which is okay.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed (2 reviews required, with at least 1 Reviewer, 1 Author)

Issue

• JDK-8369506: Bytecode rewriting causes Java heap corruption on AArch64 (Bug - P2)

Reviewers

• Aleksey Shipilev (@shipilev - Reviewer)
• Andrew Haley (@theRealAph - Reviewer)
• Man Cao (@caoman - Committer)

Contributors

• Man Cao <[email protected]>
• Chuck Rasbold <[email protected]>

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/27748/head:pull/27748
$ git checkout pull/27748

Update a local copy of the PR:
$ git checkout pull/27748
$ git pull https://git.openjdk.org/jdk.git pull/27748/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 27748

View PR using the GUI difftool:
$ git pr show -t 27748

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/27748.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back jcking! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@jcking This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8369506: Bytecode rewriting causes Java heap corruption on AArch64

Co-authored-by: Man Cao <[email protected]>
Co-authored-by: Chuck Rasbold <[email protected]>
Reviewed-by: shade, aph, manc

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 2 new commits pushed to the master branch:

• c9cbd31: 8307495: Specialize atomic bitset functions for aix-ppc
• bfe6937: 8369444: JavaFrameAnchor on PPC64 has unnecessary barriers

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

@jcking The following label will be automatically applied to this pull request:

• hotspot-compiler

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[jcking]

/contributor add manc

[jcking]

/contributor add rasbold

[openjdk]

@jcking
Contributor Man Cao <[email protected]> successfully added.

[openjdk]

@jcking
Contributor Chuck Rasbold <[email protected]> successfully added.

[theRealAph]

Fix JDK-8369506 by adding STLR when updating the bytecode. Additionally I added a quick debug only check which verifies the field offset we get from ResolvedFieldEntry in TemplateTable::fast_* will not clobber the header or Klass pointer. The added STLR guarantees that the fully filled out ResolvedFieldEntry is observable if the patched bytecode is observable. We do not need to add LDAR for bytecode loading or LDAR in TemplateTable::fast_* for that reason.

How does this follow? We need some sort of happens-before relationship on the reader side to make sure that the resolved field entry is observed. I guess this PR relies on a control dependency between reading the patched bytecode and executing the code that reads the resolved field entry.

[jcking]

Fix JDK-8369506 by adding STLR when updating the bytecode. Additionally I added a quick debug only check which verifies the field offset we get from ResolvedFieldEntry in TemplateTable::fast_* will not clobber the header or Klass pointer. The added STLR guarantees that the fully filled out ResolvedFieldEntry is observable if the patched bytecode is observable. We do not need to add LDAR for bytecode loading or LDAR in TemplateTable::fast_* for that reason.

How does this follow? We need some sort of happens-before relationship on the reader side to make sure that the resolved field entry is observed. I guess this PR relies on a control dependency between reading the patched bytecode and executing the code that reads the resolved field entry.

Yes, that is what the PR relies upon. However we are still discussing internally on whether that is enough as we would rather not have a repeat N years down the line as hardware advances. I left this in draft until we figure it out and will poke you once we are more confident.

The AArch64 docs are not super clear. It does have this sentence: A store-release guarantees that all earlier memory accesses are visible before the store-release becomes visible and that the store is visible to all parts of the system capable of storing cached data at the same time. Which to me, a long with other terminology, seems to imply the two STLRs are enough. But I wouldn't bet money on it.

[theRealAph]

But I wouldn't bet money on it.

B2.3.6, Dependency relations, Control dependency, gives you what you need on the reader side.

[jcking]

Based on conversations in https://bugs.openjdk.org/browse/JDK-8369506 and herd7 models, it is believed that this patch is sufficient for AArch64. Marking as ready.

[jcking]

@shipilev PTAL as well.

[mlbridge]

Webrevs

• 02: Full - Incremental (95d4831f)
• 01: Full - Incremental (3575e7ba)
• 00: Full (2f1b5e0a)

[shipilev]

Yes, I agree this is sufficient. I have only cosmetic comments:

[shipilev]

/reviewers 2

[openjdk]

@shipilev
The total number of required reviews for this PR (including the jcheck configuration and the last /reviewers command) is now set to 2 (with at least 1 Reviewer, 1 Author).

[shipilev]

Now running tests in my Graviton 3 instance to make sure the new verification code is not barfing up anywhere.

PR patch applies with fuzz, BTW, consider merging from mainline:

% patch -p1 < 27748.diff 
patching file src/hotspot/cpu/aarch64/interp_masm_aarch64.cpp
patching file src/hotspot/cpu/aarch64/interp_masm_aarch64.hpp
patching file src/hotspot/cpu/aarch64/templateTable_aarch64.cpp
Hunk #3 succeeded at 3098 (offset 15 lines).
Hunk #4 succeeded at 3188 (offset 15 lines).
Hunk #5 succeeded at 3256 (offset 15 lines).

[jcking]

PR patch applies with fuzz, BTW, consider merging from mainline:

Merged.

[shipilev]

Linux AArch64 server fastdebug, make test TEST=all has no new problems here.

[theRealAph]

OK. Please make sure that this has bug reports for PPC and RISCV, and announce them to hotspot-dev.

[jcking]

OK. Please make sure that this has bug reports for PPC and RISCV, and announce them to hotspot-dev.

When you talk about announce, are you just referring to sending a somewhat short and sweet email to hotspot-dev calling out the 3 issues (RISCV and PPC bugs to be created) and that they can result in Java heap corruption? Just want to make sure I am not annoying people. I'll file the RISCV and PPC bugs shortly or tomorrow morning, integrate this after, and pursue a backport to JDK 25. There was a code change in this path before JDK 25, IIRC, so the fix would have to be validated again for JDKs before that.

[caoman]

LG, but with a question about hoisting the member(LoadLoad):
https://bugs.openjdk.org/browse/JDK-8369506?focusedId=14825240&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14825240

[shipilev]

When you talk about announce, are you just referring to sending a somewhat short and sweet email to hotspot-dev calling out the 3 issues (RISCV and PPC bugs to be created) and that they can result in Java heap corruption?

There is no need to announce on hotspot-dev.

I looked through the other arches, so:

• ARM32 looks affected; @bulasevich, take note: https://bugs.openjdk.org/browse/JDK-8369969
• PPC64 looks affected; @TheRealMDoerr, take note: https://bugs.openjdk.org/browse/JDK-8369946
• RISC-V looks affected; @RealFYang, take note: https://bugs.openjdk.org/browse/JDK-8369947
• S390 does not look affected; TSO handles this for us, @offamitkumar, please confirm
• x86 does not look affected; TSO handles this for us

[shipilev]

LG, but with a question about hoisting the member(LoadLoad):

One can, but then you'll have to remember to put it in every TemplateTable::fast_* that might be accessing RFE. So putting it near RFE access itself looks more reliable, even though not exactly on point.

[shipilev]

@theRealAph -- oddly, I have GH notifications about some of your recent suggestions in comments, but I do not see them in PR itself. Maybe you need to "publish" the review?

[theRealAph]

@theRealAph -- oddly, I have GH notifications about some of your recent suggestions in comments, but I do not see them in PR itself. Maybe you need to "publish" the review?

No, I made some mistakes so deleted the comments.

[jcking]

/integrate

[openjdk]

Going to push as commit 18fd047.
Since your change was applied there have been 32 commits pushed to the master branch:

• 1392a0b: 8368740: Serial: Swap eden and survivor spaces position in young generation
• 3248aaf: 8356548: Use ClassFile API instead of ASM to transform classes in tests
• 9589a29: 8355752: Bump minimum boot jdk to JDK 25
• ... and 29 more: https://git.openjdk.org/jdk/compare/1bd814c3b24eb7ef5633ee34bb418e0981ca1708...master

Your commit was automatically rebased without conflicts.

[openjdk]

@jcking Pushed as commit 18fd047.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.