P4
GrowableArrays can be instantiated for allocation from the current threads ResourceArea.
(using this constructor https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L755)
In that case the _metadata is initialized for nesting checks on grow operations of the GrowableArray.
(see https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L759
and https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L646)
The nesting checks are ommited if an allocation Arena is passed to the GrowableArray constructor.
(see https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L652).
Proposed enhancement: do nesting checks if the Arena is in fact a ResourceArea.
Example: PhaseChaitin::_lrg_map::_names is constructed passing an Arena which is in fact the threads ResourceArea.
(see https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/opto/chaitin.cpp#L212
and https://github.com/openjdk/jdk/blob/5b12a87dcb47b5783f179534e2de43d5a920a489/src/hotspot/share/opto/chaitin.hpp#L378)
These additional nesting checks would have indicated the cause ofJDK-8328085
(using this constructor https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L755)
In that case the _metadata is initialized for nesting checks on grow operations of the GrowableArray.
(see https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L759
and https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L646)
The nesting checks are ommited if an allocation Arena is passed to the GrowableArray constructor.
(see https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/utilities/growableArray.hpp#L652).
Proposed enhancement: do nesting checks if the Arena is in fact a ResourceArea.
Example: PhaseChaitin::_lrg_map::_names is constructed passing an Arena which is in fact the threads ResourceArea.
(see https://github.com/openjdk/jdk/blob/587f2b4b4dd73733a6ee247200371f8a8d0299c1/src/hotspot/share/opto/chaitin.cpp#L212
and https://github.com/openjdk/jdk/blob/5b12a87dcb47b5783f179534e2de43d5a920a489/src/hotspot/share/opto/chaitin.hpp#L378)
These additional nesting checks would have indicated the cause of
- relates to
-
JDK-8328085 C2: Use after free in PhaseChaitin::Register_Allocate()
-
- Resolved
-
- links to
-
Commit(master)
openjdk/jdk/4c33caa1
-
Review(master)
openjdk/jdk/22269