8297967: Make frame::safe_for_sender safer

[parttimenerd]

Makes frame::safe_for_sender safer by checking that the location of the return address, sender stack pointer, and link address is accessible. This makes the method safer in the case of broken frames.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Integration blocker

 ⚠️ Too few reviewers with at least role reviewer found (have 0, need at least 1) (failed with the updated jcheck configuration)

Issue

• JDK-8297967: Make frame::safe_for_sender safer (Enhancement - P4)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/11461/head:pull/11461
$ git checkout pull/11461

Update a local copy of the PR:
$ git checkout pull/11461
$ git pull https://git.openjdk.org/jdk.git pull/11461/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 11461

View PR using the GUI difftool:
$ git pr show -t 11461

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11461.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back parttimenerd! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@parttimenerd The following label will be automatically applied to this pull request:

• hotspot

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 05: Full (b0c90888)
• 04: Full - Incremental (971553fc)
• 03: Full - Incremental (32cced6e)
• 02: Full - Incremental (f7762551)
• 01: Full - Incremental (a8903005)
• 00: Full (01d5e721)

[parttimenerd]

I converted it back to a draft and look into next week with more vigor.

[parttimenerd]

My new version just uses SafeFetchN in the place where I consistently get segfaults in my fuzzer and it works.

[parttimenerd]

The issue might happen when ASGCT (and my ASGST for which I wrote a fuzzer) are called with modified sp and fp, which async-profiler might do.

[parttimenerd]

I added a few more safe fetches, safe_for_sender should now be guarded against any broken fp.

[TheRealMDoerr]

Quite a few SafeFetch checks! But it's only used for profiling purposes, so checking a bit more sounds ok to me. Let's hear what other people think.
Please update the description and the JBS issue according to your new version and describe how broken values may reach this function.

[bridgekeeper]

@parttimenerd This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[parttimenerd]

This is ongoing work.

[openjdk]

@parttimenerd this pull request can not be integrated into master due to one or more merge conflicts. To resolve these merge conflicts and update this pull request you can run the following commands in the local repository for your personal fork:

git checkout parttimenerd_8297967
git fetch https://git.openjdk.org/jdk master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push

[bridgekeeper]

@parttimenerd This pull request has been inactive for more than 8 weeks and will be automatically closed if another 8 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[TheRealMDoerr]

I'm still trying to understand the underlying problem. I guess that FP points into a read protected (or uncommitted) part of the stack which isn't caught by the fp_safe checks for some reason. Using 3 safefetch checks is a bit much, because we shouldn't have gaps within a frame. On the other hand, checking exactly the 3 fields we need sounds like a good idea and your checks should be affordable from performance point of view. I'm ok with it, but I'd like to hear more opinions.

[parttimenerd]

The issue happens reproducibly while fuzzing profiling APIs. The change would remove a large class of errors that I found during testing. The issues can happen in theory too, due to e.g. a modified frame passed in by the profiler.

[TheRealMDoerr]

Can you dump the broken frame when one of your safefetch checks fail or create a hs_err file? That might shed more light into the problem.

[parttimenerd]

This happens when the frames frame and stack pointer are randomized (by adding a random number between 0 and 100000) during the fuzzing.

[bridgekeeper]

@parttimenerd This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[shipilev]

Some drive-by comments here.

[shipilev]

So these three are sender_sp, sender_unextended_sp and saved_fp a few lines below, right? So we can just SafeFetch-check those vars after we got them? This also highlights we want to check that those pointers are safe to fetch from.

I.e.:

      // for interpreted frames, the value below is the sender "raw" sp,
      // which can be different from the sender unextended sp (the sp seen
      // by the sender) because of current frame local variables
      sender_sp = (intptr_t*) addr_at(sender_sp_offset);
      sender_unextended_sp = (intptr_t*) this->fp()[interpreter_frame_sender_sp_offset];
saved_fp = (intptr_t*) this->fp()[link_offset];
      saved_fp = (intptr_t*) this->fp()[link_offset];

      if ((SafeFetchN(sender_sp, 0) == 0) ||
          (SafeFetchN(sender_unextended_sp) == 0) ||
          (SafeFetchN(saved_fp, 0) == 0)) {
        return false;
      }

[parttimenerd]

you're right, that looks much better

[shipilev]

Accidental revert: "nullptr" -> "NULL".

[parttimenerd]

I started the PR before the whole move, thanks for noticing this :)

[shipilev]

Excess newline. Accidental revert: "nullptr" -> "NULL".

[shipilev]

Accidental revert: "nullptr" -> "NULL".

[parttimenerd]

@shipilev do you think that bringing this PR is worthwhile? It only hardens the API when it is slightly misused (being passed in broken ucontexts).

[shipilev]

@shipilev do you think that bringing this PR is worthwhile? It only hardens the API when it is slightly misused (being passed in broken ucontexts).

In my mind, if this have a non-zero probability of happening during the normal non-fuzzing execution, then we should be on the safe side and check. A profiler that crashes the app is never a good thing. I got here through the bug report here -- so it might be a signal that problems like these happen IRL.

[parttimenerd]

This might possible. I'll work on it then next week.

[bridgekeeper]

@parttimenerd This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[bridgekeeper]

@parttimenerd This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.