JDK-8216486 : Possibility of integer overflow in JfrThreadSampler::run()
  • Type: Bug
  • Component: hotspot
  • Sub-Component: jfr
  • Affected Version: 11.0.3,12,13
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-01-10
  • Updated: 2020-04-27
  • Resolved: 2019-01-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 13 Other
11.0.3Fixed 12.0.2Fixed 13 b04Fixed openjdk8u262Fixed
Description
https://mail.openjdk.java.net/pipermail/hotspot-jfr-dev/2018-May/000047.html

I tried JFR: `java -XX:StartFlightRecording=dumponexit=true,filename=test.jfr --version` with fastdebug VM, but it crashed.
I uploaded hs_err log here:

   http://cr.openjdk.java.net/~ysuenaga/jfr-integer-overflow/hs_err_pid46934.log

I encountered this crash on Fedora 28 x64. VM was built with GCC 8.1 .

I checked core image, and I found possibility of integer overflow in JfrThreadSampler::run().
I paste GDB frame info:

```
(gdb) f 24
#24 0x00007f657a5937b7 in os::naked_short_sleep (ms=9223372036854775807)
     at /home/ysuenaga/OpenJDK/jdk/src/hotspot/os/linux/os_linux.cpp:4076
4076      assert(ms < 1000, "Un-interruptable sleep, short time use only");
(gdb) p/x ms
$1 = 0x7fffffffffffffff
```

Frame #24 is an assertion which is caused this crash.
`ms` is max_jlong.
JfrThreadSampler::run() calculates `next_j` and `next_n` to calculate sleep time, but it might be overflowed.

So I think it can be fixed as below:
   http://cr.openjdk.java.net/~ysuenaga/jfr-integer-overflow/webrev/
Comments
Fix Request: Requesting to backport this fix to JDK 11u since it might cause GCC to produce wrong code (it's free to do anything for UB) and crash the JVM in some situations. The fix is low risk as only parenthesis are being added. The JDK 13 patch applies as is to JDK 11u.
11-01-2019
For completeness this is what I'm getting when running TestStartStopRecording.java on a -fsanitize=undefined instrumented JVM (prior this fix): src/hotspot/share/jfr/periodic/sampling/jfrThreadSampler.cpp:471:36: runtime error: signed integer overflow: 9223372036854775807 + 23949501 cannot be represented in type 'long int' src/hotspot/share/jfr/periodic/sampling/jfrThreadSampler.cpp:471:11: runtime error: signed integer overflow: -9223372036830826308 - 23949501 cannot be represented in type 'long int' src/hotspot/share/jfr/periodic/sampling/jfrThreadSampler.cpp:470:34: runtime error: signed integer overflow: 9223372036854775807 + 23949747 cannot be represented in type 'long int' src/hotspot/share/jfr/periodic/sampling/jfrThreadSampler.cpp:470:11: runtime error: signed integer overflow: -9223372036830826062 - 23949747 cannot be represented in type 'long int'
11-01-2019
This issues is reproducible on environments with: - GCC 8 - fasdebug JVM builds - JFR jtreg tests, for example, jdk/jfr/api/recorder/TestStartStopRecording.java
10-01-2019