Bug ID: JDK-8217776 JVMTI code cache load events can cause memory corruption in the code cache

Type: Bug
Component: hotspot
Sub-Component: jvmti
Affected Version: 13

Priority: P4
Status: Closed
Resolution: Duplicate

Submitted: 2019-01-25
Updated: 2019-05-07
Resolved: 2019-05-07

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

Other
tbdResolved

When an nmethod is loaded, we call the nmethod::post_compiled_method_load_event() function. If we are running with events on, we calculate some jmethod_id, and take the safepoint checking JmethodIdCreation_lock in the process. After that, we may wake up N safepoints later, and the nmethod* may point at arbitrary freed memory in the code cache. Then we store the jmethod ID to what we think is a live nmethod, but it could be toast by now. Then we poke at its lock counter and enqueue some deferred event to the service thread. But again, the nmethod could be toast by now. This could cause random memory corruption of the code cache (as newly compiled nmethods could be placed over the memory where the JVMTI code is poking around).

The solution seems to be to just make that lock not check for safepoints.

We looked into this a bit more. An alternative approach would be to make the nmethods roots while they have deferred 'load' events on the queue, and maybe move the creation of the unload events to the nmethod::flush method. That way we are guaranteed to post load and unload events. Today, that's not guaranteed.

07-05-2019

Added Affects Version 13, but this bug probably exists in much older releases as well.

07-05-2019