Re: RFR: 8372493: [asan] java/foreign/sharedclosejvmti/TestSharedCloseJvmti.java triggers heap-use-after-free

Wed, 17 Dec 2025 05:56:03 -0800 

On Tue, 16 Dec 2025 20:21:59 GMT, Chen Liang <[email protected]> wrote:

>> ASAN correctly detected a use-after-free in this test.
>> 
>> The issue is that an async `ScopedAccessError` is thrown while executing 
>> java code as part of a JVMTI callback. This exception is meant to unwind out 
>> of a scoped memory access, to prevent access to memory that has already been 
>> freed. But, currently the native agent code is printing and clearing the 
>> exception, which doesn't prevent the memory access from occurring, leading 
>> to a use-after-free.
>> 
>> Ideally, the agent should propagate the exception to the place in the Java 
>> code where the JVMTI event happens, but it is not possible to exit the 
>> callback with a pending exception, and AFAICT there is no JVMTI API for 
>> propagating async exceptions that are thrown during a JVMTI callback. So, 
>> the only sane thing the test can do is exit the process, which is what I've 
>> implemented here.
>> 
>> This fixes the test, but it leaves the larger question of how JVMTI agents 
>> should deal with async exceptions unresolved.
>
> test/jdk/java/foreign/sharedclosejvmti/libSharedCloseAgent.cpp line 109:
> 
>> 107:     jni_env->ExceptionDescribe();
>> 108:     if (jni_env->IsInstanceOf(ex, EXCEPTION_CLS)) {
>> 109:       exit(0); // success
> 
> Just curious, does this just terminate the agent? If this terminates the JVM, 
> how is the checked string printed:
> 
> output.stderrShouldContain("Exception in thread "Trigger" 
> jdk.internal.misc.ScopedMemoryAccess$ScopedAccessError: Invalid memory 
> access");

It terminates the VM. That string is printed by `ExceptionDescribe()`

> test/jdk/java/foreign/sharedclosejvmti/libSharedCloseAgent.cpp line 115:
> 
>> 113:   }
>> 114: 
>> 115:   jvmti_env->Deallocate((unsigned char*) method_name);
> 
> We can move the 2 Deallocate to right above CallStaticVoidMethod.

Cleaned this code up a bit. We just need one call to `Deallocate` for each 
string.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/28853#discussion_r2624641725
PR Review Comment: https://git.openjdk.org/jdk/pull/28853#discussion_r2624662418

Reply via email to