-
Bug
-
Resolution: Fixed
-
P3
-
11, 17, 21
-
b25
Instrumenting Arena for ASan has revealed an awkward use-after-free in C2. It appears PhaseIterGVN ends up copying Compile::for_igvn() by value in its constructor. It then either intentionally or unintentionally causes the list to grow triggering Arealloc. This leaves the original Compile::for_igvn() Unique_Node_List now pointing to free'd memory which eventually gets used again.
We need to detangle the expectation with PhaseIterGVN and whether modifications to either Unique_Node_List or Node_Stack it copies by value in its constructors should be visible to the caller.
Should PhaseIterGVN be using copy-on-write semantics? Should PhaseIterGVN be propagating changes to either Unique_Node_List or Node_Stack back to the caller it copied it from?
==3227315==ERROR: AddressSanitizer: use-after-poison on address 0x6290005b9210 at pc 0x7f619ca47681 bp 0x7f60d80eb8e0 sp 0x7f60d80eb090 [105/1351]
WRITE of size 16384 at 0x6290005b9210 thread T17
#0 0x7f619ca47680 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
#1 0x7f6197e15ccb in Copy::pd_zero_to_bytes(void*, unsigned long) src/hotspot/cpu/x86/copy_x86.hpp:59
#2 0x7f6197e15ccb in Copy::zero_to_bytes(void*, unsigned long) src/hotspot/share/utilities/copy.hpp:298
#3 0x7f6197e15ccb in Node_Array::clear() src/hotspot/share/opto/node.hpp:1548
#4 0x7f6197e15ccb in Node_List::clear() src/hotspot/share/opto/node.hpp:1572
#5 0x7f6197e15ccb in Unique_Node_List::clear() src/hotspot/share/opto/node.hpp:1623
#6 0x7f6197e15ccb in Compile::Optimize() src/hotspot/share/opto/compile.cpp:2269
#7 0x7f6197e1cf12 in Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:833
#8 0x7f6197af05ce in C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
#9 0x7f6197e33890 in CompileBroker::invoke_compiler_on_method(CompileTask*) src/hotspot/share/compiler/compileBroker.cpp:2237
#10 0x7f6197e364a7 in CompileBroker::compiler_thread_loop() src/hotspot/share/compiler/compileBroker.cpp:1916
#11 0x7f61989b235b in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:710
#12 0x7f61989b274f in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:689
#13 0x7f61989b274f in JavaThread::run() src/hotspot/share/runtime/javaThread.cpp:695
#14 0x7f619a1f0e75 in Thread::call_run() src/hotspot/share/runtime/thread.cpp:224
#15 0x7f619986317f in thread_native_entry src/hotspot/os/linux/os_linux.cpp:737
#16 0x7f619c8a7fd3 in start_thread nptl/pthread_create.c:442
#17 0x7f619c92866b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
0x6290005b9210 is located 16 bytes inside of 16400-byte region [0x6290005b9200,0x6290005bd210)
allocated by thread T17 here:
#0 0x7f619cab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f619984b0ba in os::malloc(unsigned long, MEMFLAGS, NativeCallStack const&) src/hotspot/share/runtime/os.cpp:673
#2 0x7f619749a87e in Chunk::operator new(unsigned long, AllocFailStrategy::AllocFailEnum, unsigned long) src/hotspot/share/memory/arena.cpp:190
#3 0x7f619749a87e in Arena::grow(unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.cpp:319
#4 0x7f619749ac5c in Arena::internal_amalloc(unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:113
#5 0x7f619749ac5c in Arena::Amalloc(unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:133
#6 0x7f619749ac5c in Arena::Arealloc(void*, unsigned long, unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.cpp:370
#7 0x7f61997a5f6f in Node_Array::grow(unsigned int) src/hotspot/share/opto/node.cpp:2778
#8 0x7f61998fd96c in Node_Array::map(unsigned int, Node*) src/hotspot/share/opto/node.hpp:1543
#9 0x7f61998fd96c in Node_List::push(Node*) src/hotspot/share/opto/node.hpp:1569
#10 0x7f61998fd96c in Unique_Node_List::push(Node*) src/hotspot/share/opto/node.hpp:1601
#11 0x7f61998fd96c in Compile::record_for_igvn(Node*) src/hotspot/share/opto/node.hpp:1672
#12 0x7f61998fd96c in GraphKit::record_for_igvn(Node*) const src/hotspot/share/opto/graphKit.hpp:96
#13 0x7f61998fd96c in Parse::merge_memory_edges(MergeMemNode*, int, bool) src/hotspot/share/opto/parse1.cpp:1886
#14 0x7f61998fe585 in Parse::merge_common(Parse::Block*, int) src/hotspot/share/opto/parse1.cpp:1763
#15 0x7f6199902b6e in Parse::do_all_blocks() src/hotspot/share/opto/parse1.cpp:707
#16 0x7f619990c6b4 in Parse::Parse(JVMState*, ciMethod*, float) src/hotspot/share/opto/parse1.cpp:613
#17 0x7f6197af3175 in ParseGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:99
#18 0x7f6197af9b11 in PredictedCallGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:915
#19 0x7f61981ff789 in Parse::do_call() src/hotspot/share/opto/doCall.cpp:662
#20 0x7f619992e27f in Parse::do_one_bytecode() src/hotspot/share/opto/parse2.cpp:2704
#21 0x7f6199901796 in Parse::do_one_block() src/hotspot/share/opto/parse1.cpp:1560
#22 0x7f6199902b6e in Parse::do_all_blocks() src/hotspot/share/opto/parse1.cpp:707
#23 0x7f619990c6b4 in Parse::Parse(JVMState*, ciMethod*, float) src/hotspot/share/opto/parse1.cpp:613
#24 0x7f6197af3175 in ParseGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:99
#25 0x7f6197af9b11 in PredictedCallGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:915
#26 0x7f61981ff789 in Parse::do_call() src/hotspot/share/opto/doCall.cpp:662
#27 0x7f619992e27f in Parse::do_one_bytecode() src/hotspot/share/opto/parse2.cpp:2704
#28 0x7f6199901796 in Parse::do_one_block() src/hotspot/share/opto/parse1.cpp:1560
#29 0x7f6199902b6e in Parse::do_all_blocks() src/hotspot/share/opto/parse1.cpp:707
#30 0x7f619990c6b4 in Parse::Parse(JVMState*, ciMethod*, float) src/hotspot/share/opto/parse1.cpp:613
#31 0x7f6197af3175 in ParseGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:99
#32 0x7f6197e1c9cc in Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:763
#33 0x7f6197af05ce in C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
#34 0x7f6197e33890 in CompileBroker::invoke_compiler_on_method(CompileTask*) src/hotspot/share/compiler/compileBroker.cpp:2237
#35 0x7f6197e364a7 in CompileBroker::compiler_thread_loop() src/hotspot/share/compiler/compileBroker.cpp:1916
#36 0x7f61989b235b in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:710
#37 0x7f61989b274f in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:689
#38 0x7f61989b274f in JavaThread::run() src/hotspot/share/runtime/javaThread.cpp:695
We need to detangle the expectation with PhaseIterGVN and whether modifications to either Unique_Node_List or Node_Stack it copies by value in its constructors should be visible to the caller.
Should PhaseIterGVN be using copy-on-write semantics? Should PhaseIterGVN be propagating changes to either Unique_Node_List or Node_Stack back to the caller it copied it from?
==3227315==ERROR: AddressSanitizer: use-after-poison on address 0x6290005b9210 at pc 0x7f619ca47681 bp 0x7f60d80eb8e0 sp 0x7f60d80eb090 [105/1351]
WRITE of size 16384 at 0x6290005b9210 thread T17
#0 0x7f619ca47680 in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
#1 0x7f6197e15ccb in Copy::pd_zero_to_bytes(void*, unsigned long) src/hotspot/cpu/x86/copy_x86.hpp:59
#2 0x7f6197e15ccb in Copy::zero_to_bytes(void*, unsigned long) src/hotspot/share/utilities/copy.hpp:298
#3 0x7f6197e15ccb in Node_Array::clear() src/hotspot/share/opto/node.hpp:1548
#4 0x7f6197e15ccb in Node_List::clear() src/hotspot/share/opto/node.hpp:1572
#5 0x7f6197e15ccb in Unique_Node_List::clear() src/hotspot/share/opto/node.hpp:1623
#6 0x7f6197e15ccb in Compile::Optimize() src/hotspot/share/opto/compile.cpp:2269
#7 0x7f6197e1cf12 in Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:833
#8 0x7f6197af05ce in C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
#9 0x7f6197e33890 in CompileBroker::invoke_compiler_on_method(CompileTask*) src/hotspot/share/compiler/compileBroker.cpp:2237
#10 0x7f6197e364a7 in CompileBroker::compiler_thread_loop() src/hotspot/share/compiler/compileBroker.cpp:1916
#11 0x7f61989b235b in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:710
#12 0x7f61989b274f in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:689
#13 0x7f61989b274f in JavaThread::run() src/hotspot/share/runtime/javaThread.cpp:695
#14 0x7f619a1f0e75 in Thread::call_run() src/hotspot/share/runtime/thread.cpp:224
#15 0x7f619986317f in thread_native_entry src/hotspot/os/linux/os_linux.cpp:737
#16 0x7f619c8a7fd3 in start_thread nptl/pthread_create.c:442
#17 0x7f619c92866b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
0x6290005b9210 is located 16 bytes inside of 16400-byte region [0x6290005b9200,0x6290005bd210)
allocated by thread T17 here:
#0 0x7f619cab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f619984b0ba in os::malloc(unsigned long, MEMFLAGS, NativeCallStack const&) src/hotspot/share/runtime/os.cpp:673
#2 0x7f619749a87e in Chunk::operator new(unsigned long, AllocFailStrategy::AllocFailEnum, unsigned long) src/hotspot/share/memory/arena.cpp:190
#3 0x7f619749a87e in Arena::grow(unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.cpp:319
#4 0x7f619749ac5c in Arena::internal_amalloc(unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:113
#5 0x7f619749ac5c in Arena::Amalloc(unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.hpp:133
#6 0x7f619749ac5c in Arena::Arealloc(void*, unsigned long, unsigned long, AllocFailStrategy::AllocFailEnum) src/hotspot/share/memory/arena.cpp:370
#7 0x7f61997a5f6f in Node_Array::grow(unsigned int) src/hotspot/share/opto/node.cpp:2778
#8 0x7f61998fd96c in Node_Array::map(unsigned int, Node*) src/hotspot/share/opto/node.hpp:1543
#9 0x7f61998fd96c in Node_List::push(Node*) src/hotspot/share/opto/node.hpp:1569
#10 0x7f61998fd96c in Unique_Node_List::push(Node*) src/hotspot/share/opto/node.hpp:1601
#11 0x7f61998fd96c in Compile::record_for_igvn(Node*) src/hotspot/share/opto/node.hpp:1672
#12 0x7f61998fd96c in GraphKit::record_for_igvn(Node*) const src/hotspot/share/opto/graphKit.hpp:96
#13 0x7f61998fd96c in Parse::merge_memory_edges(MergeMemNode*, int, bool) src/hotspot/share/opto/parse1.cpp:1886
#14 0x7f61998fe585 in Parse::merge_common(Parse::Block*, int) src/hotspot/share/opto/parse1.cpp:1763
#15 0x7f6199902b6e in Parse::do_all_blocks() src/hotspot/share/opto/parse1.cpp:707
#16 0x7f619990c6b4 in Parse::Parse(JVMState*, ciMethod*, float) src/hotspot/share/opto/parse1.cpp:613
#17 0x7f6197af3175 in ParseGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:99
#18 0x7f6197af9b11 in PredictedCallGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:915
#19 0x7f61981ff789 in Parse::do_call() src/hotspot/share/opto/doCall.cpp:662
#20 0x7f619992e27f in Parse::do_one_bytecode() src/hotspot/share/opto/parse2.cpp:2704
#21 0x7f6199901796 in Parse::do_one_block() src/hotspot/share/opto/parse1.cpp:1560
#22 0x7f6199902b6e in Parse::do_all_blocks() src/hotspot/share/opto/parse1.cpp:707
#23 0x7f619990c6b4 in Parse::Parse(JVMState*, ciMethod*, float) src/hotspot/share/opto/parse1.cpp:613
#24 0x7f6197af3175 in ParseGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:99
#25 0x7f6197af9b11 in PredictedCallGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:915
#26 0x7f61981ff789 in Parse::do_call() src/hotspot/share/opto/doCall.cpp:662
#27 0x7f619992e27f in Parse::do_one_bytecode() src/hotspot/share/opto/parse2.cpp:2704
#28 0x7f6199901796 in Parse::do_one_block() src/hotspot/share/opto/parse1.cpp:1560
#29 0x7f6199902b6e in Parse::do_all_blocks() src/hotspot/share/opto/parse1.cpp:707
#30 0x7f619990c6b4 in Parse::Parse(JVMState*, ciMethod*, float) src/hotspot/share/opto/parse1.cpp:613
#31 0x7f6197af3175 in ParseGenerator::generate(JVMState*) src/hotspot/share/opto/callGenerator.cpp:99
#32 0x7f6197e1c9cc in Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:763
#33 0x7f6197af05ce in C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:113
#34 0x7f6197e33890 in CompileBroker::invoke_compiler_on_method(CompileTask*) src/hotspot/share/compiler/compileBroker.cpp:2237
#35 0x7f6197e364a7 in CompileBroker::compiler_thread_loop() src/hotspot/share/compiler/compileBroker.cpp:1916
#36 0x7f61989b235b in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:710
#37 0x7f61989b274f in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:689
#38 0x7f61989b274f in JavaThread::run() src/hotspot/share/runtime/javaThread.cpp:695
- relates to
-
-
- Resolved
-
-
JDK-8307815 C2 Phase structure cleanup
-
- Open
-
-
-
- Open
-
-
-
- Open
-
-
-
- Resolved
-
(2 links to)