[Bug libgcj/12013] New: Calling Reference.clear() can cause runtime to crash.
ddaney at avtrex dot com
gcc-bugzilla@gcc.gnu.org
Thu Aug 21 17:37:00 GMT 2003
PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12013
Summary: Calling Reference.clear() can cause runtime to crash.
Product: gcc
Version: 3.3.1
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: libgcj
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: ddaney at avtrex dot com
CC: gcc-bugs at gcc dot gnu dot org
GCC build triplet: i686-pc-linux-gnu
GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu
Finally found it! The attached test program exercises a bug in libgcj's
lava.lang.ref.Reference handling code (from gcc 3.3.1). It crashes on both my
i686-pc-linux-gnu and mipsel-linux platforms
If Reference.clear() is called and then the Reference is finalized
before its referent, a dangling pointer is created in the object_list
structure in natReference.cc. This happens because the 'copy' field
of the Reference is cleared and that is what is used to find the slot
in the object_list table.
When more objects are allocated, this dangling pointer now can point
to an object of some other type.
Now when the original referent is finalized, all of the References to
it are enqueued, but since some of the pointers to these References
are invalid, the called to enqueue() (via a now invalid vtable) sends
us off into some place bad.
There seem to be two ways to fix the problem.
1) Never clear the 'copy' field in the Reference and add a boolean
field to Reference that is set to detect the cleared condition.
Doing this we will always be able to find the Reference in the
object_list.
2) If 'copy' is null, then scan the entire object_list tree looking
for the entry that points to the Reference and remove it.
I have attached a patch that does #1.
Question: Does adding a field to Reference cause binary compatibility
problems between different versions of shared libgcj?
I don't think so because all fields are package private.
Option 2 preserves the size and layout of Reference, but would be
slower and require bigger changes to natReference.cc
My patch includes changes from Tom Tromey's patch of yesterday.
More information about the Gcc-bugs
mailing list