Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8364514

[asan] runtime/jni/checked/TestCharArrayReleasing.java heap-buffer-overflow

XMLWordPrintable

    • b10
    • x86_64, aarch64
    • linux

        When running HS tier1 jtreg tests with ASAN - enabled binaries, the test runtime/jni/checked/TestCharArrayReleasing.java fails with the output below :

         stdout: [Testing release function ReleaseCharArrayElements with array from malloc
        ];
         stderr: [=================================================================
        ==37362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000045cc0 at pc 0x7fa0dcd25820 bp 0x7fa0da7cec50 sp 0x7fa0da7cec48
        READ of size 8 at 0x503000045cc0 thread T1
            #0 0x7fa0dcd2581f in GuardedMemory::GuardHeader::get_tag() const src/hotspot/share/memory/guardedMemory.hpp:152
            #1 0x7fa0dcd2581f in GuardedMemory::get_tag() const src/hotspot/share/memory/guardedMemory.hpp:245
            #2 0x7fa0dcd2581f in check_wrapped_array src/hotspot/share/prims/jniCheck.cpp:385
            #3 0x7fa0dcd25a76 in check_wrapped_array_release src/hotspot/share/prims/jniCheck.cpp:430
            #4 0x7fa0dcd27b02 in checked_jni_ReleaseCharArrayElements src/hotspot/share/prims/jniCheck.cpp:1743
            #5 0x7fa0e1271620 in Java_TestCharArrayReleasing_testIt test/hotspot/jtreg/runtime/jni/checked/libCharArrayReleasing.c:110
            #6 0x7fa0c8d974a4 (<unknown module>)

        0x503000045cc0 is located 16 bytes before 20-byte region [0x503000045cd0,0x503000045ce4)
        allocated by thread T1 here:
            #0 0x7fa0e23722b7 in malloc (/usr/lib64/libasan.so.8+0xf72b7) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
            #1 0x7fa0e1271579 in Java_TestCharArrayReleasing_testIt test/hotspot/jtreg/runtime/jni/checked/libCharArrayReleasing.c:85
            #2 0x7fa0c8d974a4 (<unknown module>)
            #3 0x7fa0c8d92847 (<unknown module>)
            #4 0x7fa0c8d8b6a8 (<unknown module>)
            #5 0x7fa0dc99f379 in JavaCalls::call_helper(JavaValue*, methodHandle const&, JavaCallArguments*, JavaThread*) src/hotspot/share/runtime/javaCalls.cpp:415
            #6 0x7fa0dcca0894 in jni_invoke_static src/hotspot/share/prims/jni.cpp:883
            #7 0x7fa0dccaa6d9 in jni_CallStaticVoidMethodV src/hotspot/share/prims/jni.cpp:1723
            #8 0x7fa0dcce66c5 in checked_jni_CallStaticVoidMethod src/hotspot/share/prims/jniCheck.cpp:1342
            #9 0x7fa0e225a05b in invokeStaticMainWithArgs src/java.base/share/native/libjli/java.c:392
            #10 0x7fa0e225dcef in JavaMain src/java.base/share/native/libjli/java.c:640
            #11 0x7fa0e2262fd8 in ThreadJavaMain src/java.base/unix/native/libjli/java_md.c:646
            #12 0x7fa0e22d9ff5 (/usr/lib64/libasan.so.8+0x5eff5) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)

        Thread T1 created by T0 here:
            #0 0x7fa0e236a191 in pthread_create (/usr/lib64/libasan.so.8+0xef191) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
            #1 0x7fa0e2264928 in CallJavaMainInNewThread src/java.base/unix/native/libjli/java_md.c:687
            #2 0x7fa0e2260580 in ContinueInNewThread src/java.base/share/native/libjli/java.c:2340
            #3 0x7fa0e2261edd in JLI_Launch src/java.base/share/native/libjli/java.c:330
            #4 0x5589f6afc0fc in main src/java.base/share/native/launcher/main.c:150
            #5 0x7fa0e208c1fc in __libc_start_main (/lib64/libc.so.6+0x351fc) (BuildId: 2c8359b67579ed1cba5cce7875abfd60fa954ca7)

        SUMMARY: AddressSanitizer: heap-buffer-overflow src/hotspot/share/memory/guardedMemory.hpp:152 in GuardedMemory::GuardHeader::get_tag() const
        Shadow bytes around the buggy address:
          0x503000045a00: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
          0x503000045a80: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
          0x503000045b00: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
          0x503000045b80: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
          0x503000045c00: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
        =>0x503000045c80: fd fa fa fa fd fd fd fa[fa]fa 00 00 04 fa fa fa
          0x503000045d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
          0x503000045d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
          0x503000045e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
          0x503000045e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
          0x503000045f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        Shadow byte legend (one shadow byte represents 8 application bytes):
          Addressable: 00
          Partially addressable: 01 02 03 04 05 06 07
          Heap left redzone: fa
          Freed heap region: fd
          Stack left redzone: f1
          Stack mid redzone: f2
          Stack right redzone: f3
          Stack after return: f5
          Stack use after scope: f8
          Global redzone: f9
          Global init order: f6
          Poisoned by user: f7
          Container overflow: fc
          Array cookie: ac
          Intra object redzone: bb
          ASan internal: fe
          Left alloca redzone: ca
          Right alloca redzone: cb
        ==37362==ABORTING
        ]
         exitValue = 1

              mbaesken Matthias Baesken
              mbaesken Matthias Baesken
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: