Request for Comments: Potential leak of memory pointed to by 'name' about jvmciCodeInstaller

Hi Doug,

Thanks for your kind response!

Hi Leslie,

As a point of process, I think hotspot-compiler-dev@openjdk.java.net is probably a better list for JVMCI bugs.

Sorry for my wrong posting!

In any case, thanks for the investigation. However, I don’t think this is a bug as RuntimeStub simply passes along the name argument which is eventually stored to CodeBlob::_name without any further copying. If we subsequently freed that argument, the CodeBlob::_name would become invalid.

Thanks for pointing out my fault!
I might brought in Use-after-free[2] issue even that I carefully free the allocated memory in the end of `installCode` C2V_VMENTRY...
The reduced testcase is able to reproduce my fault:

----- 8< -------- 8< -------- 8< -------- 8< -------- 8< -------- 8< ---
$ cat t.cpp
#include <iostream>
#include <string.h>
#include <stdlib.h>

class CodeBlob {
public:
   CodeBlob(const char* name) : _name(name) {};

   const char* name() { return _name; }

protected:
   const char* _name;
};

class RuntimeBlob : public CodeBlob {
public:
   RuntimeBlob(const char* name) : CodeBlob(name) {}
};

class RuntimeStub : public RuntimeBlob {
private:
   RuntimeStub(const char* name) : RuntimeBlob(name) {}

public:
   static RuntimeStub* new_runtime_stub(const char* stub_name) {
     RuntimeStub* stub = new RuntimeStub(stub_name);
     return stub;
   }
};

static void install(CodeBlob*& cb, char*& name) {
   name = strdup("some stubName");
   cb = RuntimeStub::new_runtime_stub(name);
}

// To simulate C2V_VMENTRY(jint, installCode, (JNIEnv *jniEnv, jobject, jobject target, jobject compiled_code, jobject installed_code, jobject speculation_log))
int main(int argc, char *argv[]) {
   CodeBlob* cb = NULL;
   char* cb_name = NULL;
   install(cb, cb_name);
   if (cb_name) free(cb_name); // <--- MY FAULT
   std::cout << cb->name() << std::endl;
   return 0;
}
----- 8< -------- 8< -------- 8< -------- 8< -------- 8< -------- 8< ---

t.cpp:9:24: warning: Use of memory after it is freed
   const char* name() { return _name; }
                        ^~~~~~~~~~~~
t.cpp:42:3: warning: Potential leak of memory pointed to by 'cb'
   std::cout << cb->name() << std::endl;
   ^~~~~~~~~~~~~~~~~~~~~~~

So It might be Potential leak of memory pointed to by 'cb' about jvmciCompilerToVM? But the `cb` might be used in other place just like `name` :slight_smile:
Just comment MY FAULT //if (cb_name) free(cb_name);
And see what dynamic analysis say:

$ clang++ -fsanitize=address t.cpp
$ ./a.out

Indeed. RuntimeStubs are never freed as they are used as helpers for “normal” compiled code. Once created, their addresses are stored in static variables that live for the remainder of the VM process.

-Doug