JDK-8357468 : [asan] heap buffer overflow reported in PcDesc::pc_offset() pcDesc.hpp:57
  • Type: Bug
  • Component: hotspot
  • Sub-Component: compiler
  • Affected Version: 8,11,17,21,25
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux
  • CPU: x86_64
  • Submitted: 2025-05-21
  • Updated: 2025-05-26
  • Resolved: 2025-05-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 25
25 masterFixed
Description
In various HS :tier1 jtreg tests, when running with ASAN enabled binaries, heap buffer overflows are reported.

Example teststriggering the issue :  compiler/c2/TestBitSetAndReset ;  compiler/runtime/TestConstantsInError and some more.


==31940==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50400000d248 at pc 0x14ff33ccca8f bp 0x14feb1bbce10 sp 0x14feb1bbce08
READ of size 4 at 0x50400000d248 thread T20 (C2 CompilerThre)
    #0 0x14ff33ccca8e in PcDesc::pc_offset() const src/hotspot/share/code/pcDesc.hpp:57
    #1 0x14ff33ccca8e in match_desc src/hotspot/share/code/nmethod.cpp:396
    #2 0x14ff33ccca8e in match_desc src/hotspot/share/code/nmethod.cpp:391
    #3 0x14ff33ccca8e in PcDescCache::find_pc_desc(int, bool) src/hotspot/share/code/nmethod.cpp:426
    #4 0x14ff33ccca8e in PcDescContainer::find_pc_desc_internal(unsigned char*, bool, unsigned char*, PcDesc*, PcDesc*) src/hotspot/share/code/nmethod.cpp:2793
    #5 0x14ff33ccf675 in PcDescContainer::find_pc_desc(unsigned char*, bool, unsigned char*, PcDesc*, PcDesc*) src/hotspot/share/code/nmethod.hpp:128
    #6 0x14ff33ccf675 in nmethod::find_pc_desc(unsigned char*, bool) src/hotspot/share/code/nmethod.hpp:360
    #7 0x14ff33ccf675 in nmethod::pc_desc_near(unsigned char*) src/hotspot/share/code/nmethod.hpp:886
    #8 0x14ff33ccf675 in nmethod::scope_desc_in(unsigned char*, unsigned char*) src/hotspot/share/code/nmethod.cpp:3712
    #9 0x14ff33cdc833 in nmethod::has_code_comment(unsigned char*, unsigned char*) src/hotspot/share/code/nmethod.cpp:3838
    #10 0x14ff33cdc833 in nmethod::decode2(outputStream*) const src/hotspot/share/code/nmethod.cpp:3541
    #11 0x14ff33cdd1d8 in nmethod::print_nmethod(bool) src/hotspot/share/code/nmethod.cpp:1676
    #12 0x14ff33cdda36 in nmethod::maybe_print_nmethod(DirectiveSet const*) src/hotspot/share/code/nmethod.cpp:1647
    #13 0x14ff33cdda36 in nmethod::maybe_print_nmethod(DirectiveSet const*) src/hotspot/share/code/nmethod.cpp:1644
    #14 0x14ff33cdda36 in nmethod::post_compiled_method(CompileTask*) src/hotspot/share/code/nmethod.cpp:2232
    #15 0x14ff31fde4ec in ciEnv::register_method(ciMethod*, int, CodeOffsets*, int, CodeBuffer*, int, OopMapSet*, ExceptionHandlerTable*, ImplicitExceptionTable*, AbstractCompiler*, bool, bool, bool, bool, int) src/hotspot/share/ci/ciEnv.cpp:1127
    #16 0x14ff33dfb190 in PhaseOutput::install_code(ciMethod*, int, AbstractCompiler*, bool, bool) src/hotspot/share/opto/output.cpp:3442
    #17 0x14ff3222fd8f in Compile::Code_Gen() src/hotspot/share/opto/compile.cpp:3100
    #18 0x14ff32238e9c in Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:893
    #19 0x14ff31efce2f in C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:141
    #20 0x14ff3224afa7 in CompileBroker::invoke_compiler_on_method(CompileTask*) src/hotspot/share/compiler/compileBroker.cpp:2298
    #21 0x14ff32257247 in CompileBroker::compiler_thread_loop() src/hotspot/share/compiler/compileBroker.cpp:1942
    #22 0x14ff32e4d562 in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:773
    #23 0x14ff32e6279f in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:753
    #24 0x14ff32e6279f in JavaThread::run() src/hotspot/share/runtime/javaThread.cpp:758
    #25 0x14ff348f4fdf in Thread::call_run() src/hotspot/share/runtime/thread.cpp:224
    #26 0x14ff33dc14c2 in thread_native_entry src/hotspot/os/linux/os_linux.cpp:870
    #27 0x14ff38137ff5  (/usr/lib64/libasan.so.8+0x5eff5) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
    #28 0x14ff37e8a6e9 in start_thread (/lib64/libpthread.so.0+0xa6e9) (BuildId: 938e42b7e407d175ee3ef9a89c038168101d330c)
    #29 0x14ff37fcd58e in clone (/lib64/libc.so.6+0x11858e) (BuildId: 74f77bf013a66413c77197c121955e029c32d259)

0x50400000d248 is located 8 bytes before 48-byte region [0x50400000d250,0x50400000d280)
allocated by thread T20 (C2 CompilerThre) here:
    #0 0x14ff381d02b7 in malloc (/usr/lib64/libasan.so.8+0xf72b7) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
    #1 0x14ff33da6127 in permit_forbidden_function::malloc(unsigned long) src/hotspot/share/utilities/permitForbiddenFunctions.hpp:63
    #2 0x14ff33da6127 in os::malloc(unsigned long, MemTag, NativeCallStack const&) src/hotspot/share/runtime/os.cpp:659
    #3 0x14ff33da6127 in os::malloc(unsigned long, MemTag) src/hotspot/share/runtime/os.cpp:627
    #4 0x14ff33cd5f5f in nmethod::new_nmethod(methodHandle const&, int, int, CodeOffsets*, int, DebugInformationRecorder*, Dependencies*, CodeBuffer*, int, OopMapSet*, ExceptionHandlerTable*, ImplicitExceptionTable*, AbstractCompiler*, CompLevel, char*, int, JVMCINMethodData*) src/hotspot/share/code/nmethod.cpp:1172
    #5 0x14ff31fddee4 in ciEnv::register_method(ciMethod*, int, CodeOffsets*, int, CodeBuffer*, int, OopMapSet*, ExceptionHandlerTable*, ImplicitExceptionTable*, AbstractCompiler*, bool, bool, bool, bool, int) src/hotspot/share/ci/ciEnv.cpp:1062
    #6 0x14ff33dfb190 in PhaseOutput::install_code(ciMethod*, int, AbstractCompiler*, bool, bool) src/hotspot/share/opto/output.cpp:3442
    #7 0x14ff3222fd8f in Compile::Code_Gen() src/hotspot/share/opto/compile.cpp:3100
    #8 0x14ff32238e9c in Compile::Compile(ciEnv*, ciMethod*, int, Options, DirectiveSet*) src/hotspot/share/opto/compile.cpp:893
    #9 0x14ff31efce2f in C2Compiler::compile_method(ciEnv*, ciMethod*, int, bool, DirectiveSet*) src/hotspot/share/opto/c2compiler.cpp:141
    #10 0x14ff3224afa7 in CompileBroker::invoke_compiler_on_method(CompileTask*) src/hotspot/share/compiler/compileBroker.cpp:2298
    #11 0x14ff32257247 in CompileBroker::compiler_thread_loop() src/hotspot/share/compiler/compileBroker.cpp:1942
    #12 0x14ff32e4d562 in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:773
    #13 0x14ff32e6279f in JavaThread::thread_main_inner() src/hotspot/share/runtime/javaThread.cpp:753
    #14 0x14ff32e6279f in JavaThread::run() src/hotspot/share/runtime/javaThread.cpp:758
    #15 0x14ff348f4fdf in Thread::call_run() src/hotspot/share/runtime/thread.cpp:224
    #16 0x14ff33dc14c2 in thread_native_entry src/hotspot/os/linux/os_linux.cpp:870
    #17 0x14ff38137ff5  (/usr/lib64/libasan.so.8+0x5eff5) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)

Thread T20 (C2 CompilerThre) created by T1 here:
    #0 0x14ff381c8191 in pthread_create (/usr/lib64/libasan.so.8+0xef191) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
    #1 0x14ff33dc46fc in os::create_thread(Thread*, os::ThreadType, unsigned long) src/hotspot/os/linux/os_linux.cpp:1062
    #2 0x14ff322a1bd8 in CompilerThread::CompilerThread(CompileQueue*, CompilerCounters*) src/hotspot/share/compiler/compilerThread.cpp:33
    #3 0x14ff32251c75 in CompileBroker::make_thread(CompileBroker::ThreadType, _jobject*, CompileQueue*, AbstractCompiler*, JavaThread*) src/hotspot/share/compiler/compileBroker.cpp:853
    #4 0x14ff32252501 in CompileBroker::init_compiler_threads() src/hotspot/share/compiler/compileBroker.cpp:966
    #5 0x14ff322539ed in CompileBroker::compilation_init(JavaThread*) src/hotspot/share/compiler/compileBroker.cpp:681
    #6 0x14ff34928b4f in Threads::create_vm(JavaVMInitArgs*, bool*) src/hotspot/share/runtime/threads.cpp:766
    #7 0x14ff33095bc8 in JNI_CreateJavaVM_inner src/hotspot/share/prims/jni.cpp:3587
    #8 0x14ff33095bc8 in JNI_CreateJavaVM src/hotspot/share/prims/jni.cpp:3678
    #9 0x14ff380b8633 in InitializeJVM src/java.base/share/native/libjli/java.c:1506
    #10 0x14ff380b8633 in JavaMain src/java.base/share/native/libjli/java.c:494
    #11 0x14ff380c0e58 in ThreadJavaMain src/java.base/unix/native/libjli/java_md.c:646
    #12 0x14ff38137ff5  (/usr/lib64/libasan.so.8+0x5eff5) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)

Thread T1 created by T0 here:
    #0 0x14ff381c8191 in pthread_create (/usr/lib64/libasan.so.8+0xef191) (BuildId: 4ee117fa2a132af1da9f17a0a5fe1f888398d50f)
    #1 0x14ff380c27a8 in CallJavaMainInNewThread src/java.base/unix/native/libjli/java_md.c:687
    #2 0x14ff380be400 in ContinueInNewThread src/java.base/share/native/libjli/java.c:2340
    #3 0x14ff380bfd5d in JLI_Launch src/java.base/share/native/libjli/java.c:330
    #4 0x5647304fb0fc in main src/java.base/share/native/launcher/main.c:150
    #5 0x14ff37eea24c in __libc_start_main (/lib64/libc.so.6+0x3524c) (BuildId: 74f77bf013a66413c77197c121955e029c32d259)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/hotspot/share/code/pcDesc.hpp:57 in PcDesc::pc_offset() const
Shadow bytes around the buggy address:
  0x50400000cf80: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x50400000d000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x50400000d080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x50400000d100: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x50400000d180: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
=>0x50400000d200: fa fa 00 00 00 00 00 00 fa[fa]00 00 00 00 00 00
  0x50400000d280: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x50400000d300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50400000d380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50400000d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50400000d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Comments
Changeset: 66747710 Branch: master Author: Dean Long <dlong@openjdk.org> Date: 2025-05-23 19:29:09 +0000 URL: https://git.openjdk.org/jdk/commit/66747710a49ea6a78aee94d3a3ec6a24b7cc36e5
23-05-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/25404 Date: 2025-05-22 23:43:09 +0000
22-05-2025
This is pretty easy to reproduce with -XX:+PrintAssembly.
22-05-2025
ILW = potential crash or incorrect behavior, always with sanitizer, no workaround = MHH = P2
22-05-2025
It looks like this could cause a false-positive match or a crash. Looking at the code, it seems like match_desc() can try to access the memory at _pc_descs[0]-1.
22-05-2025