Ensure that setScopedValueBindings can never trigger a stack overflow.

guizmaii · Mar 21, 2023 · 172b382 · 172b382
1 parent 3d8899b
commit 172b382
Show file tree

Hide file tree

Showing 4 changed files with 137 additions and 10 deletions.
diff --git a/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/SubstrateUtil.java b/substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/SubstrateUtil.java
@@ -212,6 +212,7 @@ public static CCharPointer strchr(CCharPointer str, int c) {
      * are actually the same class.
      */
     @SuppressWarnings({"unused", "unchecked"})
+    @AlwaysInline("Some callers rely on this never becoming an actual method call.")
     @Uninterruptible(reason = "Called from uninterruptible code.", mayBeInlined = true)
     public static <T> T cast(Object obj, Class<T> toType) {
         return (T) obj;

diff --git a/...atevm/src/com.oracle.svm.core/src/com/oracle/svm/core/thread/Target_java_lang_Thread.java b/...atevm/src/com.oracle.svm.core/src/com/oracle/svm/core/thread/Target_java_lang_Thread.java
@@ -39,6 +39,7 @@
 import org.graalvm.nativeimage.Platforms;
 import org.graalvm.nativeimage.impl.InternalPlatform;
 
+import com.oracle.svm.core.AlwaysInline;
 import com.oracle.svm.core.SubstrateOptions;
 import com.oracle.svm.core.SubstrateUtil;
 import com.oracle.svm.core.Uninterruptible;
@@ -702,19 +703,45 @@ static void setScopedValueCache(Object[] cache) {
         JavaThreads.toTarget(currentCarrierThread()).scopedValueCache = cache;
     }
 
+    /**
+     * This method is used to set and revert {@code ScopedValue} bindings as follows:
+     *
+     * {@code setScopedValueBindings(b); try { work(); } finally { setScopedValueBindings(previous);
+     * }}
+     *
+     * If the second call fails due to a stack overflow, ScopedValue bindings leak out of their
+     * scope. Therefore, we force-inline this method into its callers. This requires both calls to
+     * happen in the same caller, which is the case in the usages in the JDK, and those are expected
+     * to remain the only direct usages. {@code ScopedValue.Carrier} calls this method through the
+     * implementation of {@code JavaLangAccess}, which is an anonymous class that we cannot
+     * substitute to force inlining, so we substitute the calling class to invoke this method
+     * directly in {@link Target_jdk_incubator_concurrent_ScopedValue_Carrier}.
+     */
     @Substitute
+    @AlwaysInline("Must ensure that this can never become a call that can trigger a stack overflow and leak bindings outside the scope.")
+    @Uninterruptible(reason = "Must not call other methods which can trigger a stack overflow.", mayBeInlined = true)
     @TargetElement(onlyWith = JDK20OrLater.class)
-    static Object findScopedValueBindings() {
-        /*
-         * We don't have the means to extract the bindings object parameter from runWith frames on
-         * the stack like HotSpot does. However, at this time, we need to support only two cases:
-         * current bindings in a virtual thread, and current bindings in the carrier thread.
-         */
-        Object bindings = JavaThreads.toTarget(Thread.currentThread()).scopedValueBindings;
-        if (bindings != null) {
-            return bindings;
+    static void setScopedValueBindings(Object bindings) {
+        Target_java_lang_Thread thread = SubstrateUtil.cast(PlatformThreads.currentThread.get(), Target_java_lang_Thread.class);
+        if (LoomSupport.isEnabled() && thread.vthread != null) {
+            thread = SubstrateUtil.cast(thread.vthread, Target_java_lang_Thread.class);
         }
-        return JavaThreads.toTarget(currentCarrierThread()).scopedValueBindings;
+        thread.scopedValueBindings = bindings;
+    }
+
+    /**
+     * On HotSpot, this method determines the correct ScopedValue bindings for the current context
+     * by finding the top {@code runWith} invocation on the stack and extracting the bindings object
+     * parameter from the frame. It is used following stack overflows and other situations that
+     * could result in bindings leaking to another scope, during which {@link #scopedValueBindings}
+     * is cleared as a precaution. We don't have the means to extract the bindings object from the
+     * stack, but we ensure that {@link #setScopedValueBindings} does not trigger stack overflows,
+     * so this method should never be needed.
+     */
+    @Substitute
+    @TargetElement(onlyWith = JDK20OrLater.class)
+    static Object findScopedValueBindings() {
+        throw VMError.shouldNotReachHere("ScopedValue bindings are never cleared.");
     }
 
     @Substitute

diff --git a/...e/src/com/oracle/svm/core/thread/Target_jdk_incubator_concurrent_ScopedValue_Carrier.java b/...e/src/com/oracle/svm/core/thread/Target_jdk_incubator_concurrent_ScopedValue_Carrier.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2023, 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package com.oracle.svm.core.thread;
+
+import java.util.concurrent.Callable;
+import java.util.function.BooleanSupplier;
+
+import org.graalvm.compiler.serviceprovider.JavaVersionUtil;
+import org.graalvm.nativeimage.Platform;
+import org.graalvm.nativeimage.Platforms;
+
+import com.oracle.svm.core.annotate.Alias;
+import com.oracle.svm.core.annotate.Substitute;
+import com.oracle.svm.core.annotate.TargetClass;
+import com.oracle.svm.core.jdk.ModuleUtil;
+
+@Platforms(Platform.HOSTED_ONLY.class)
+final class IncubatorConcurrentModule implements BooleanSupplier {
+    @Override
+    public boolean getAsBoolean() {
+        return JavaVersionUtil.JAVA_SPEC >= 20 && ModuleUtil.bootLayerContainsModule("jdk.incubator.concurrent");
+    }
+}
+
+/**
+ * Substituted to directly call {@link Target_java_lang_Thread#setScopedValueBindings} for forced
+ * inlining.
+ */
+@TargetClass(className = "jdk.incubator.concurrent.ScopedValue", innerClass = "Carrier", onlyWith = IncubatorConcurrentModule.class)
+final class Target_jdk_incubator_concurrent_ScopedValue_Carrier {
+    @Alias int bitmask;
+
+    @Substitute
+    private <R> R runWith(Target_jdk_incubator_concurrent_ScopedValue_Snapshot newSnapshot, Callable<R> op) throws Exception {
+        Target_java_lang_Thread.setScopedValueBindings(newSnapshot);
+        try {
+            return Target_jdk_internal_vm_ScopedValueContainer.call(op);
+        } finally {
+            Target_java_lang_Thread.setScopedValueBindings(newSnapshot.prev);
+            Target_jdk_incubator_concurrent_ScopedValue_Cache.invalidate(bitmask);
+        }
+    }
+
+    @Substitute
+    private void runWith(Target_jdk_incubator_concurrent_ScopedValue_Snapshot newSnapshot, Runnable op) {
+        Target_java_lang_Thread.setScopedValueBindings(newSnapshot);
+        try {
+            Target_jdk_internal_vm_ScopedValueContainer.run(op);
+        } finally {
+            Target_java_lang_Thread.setScopedValueBindings(newSnapshot.prev);
+            Target_jdk_incubator_concurrent_ScopedValue_Cache.invalidate(bitmask);
+        }
+    }
+}
+
+@TargetClass(className = "jdk.internal.vm.ScopedValueContainer", onlyWith = IncubatorConcurrentModule.class)
+final class Target_jdk_internal_vm_ScopedValueContainer {
+    @Alias
+    static native <V> V call(Callable<V> op) throws Exception;
+
+    @Alias
+    static native void run(Runnable op);
+}
+
+@TargetClass(className = "jdk.incubator.concurrent.ScopedValue", innerClass = "Snapshot", onlyWith = IncubatorConcurrentModule.class)
+final class Target_jdk_incubator_concurrent_ScopedValue_Snapshot {
+    @Alias //
+    Target_jdk_incubator_concurrent_ScopedValue_Snapshot prev;
+}
+
+@TargetClass(className = "jdk.incubator.concurrent.ScopedValue", innerClass = "Cache", onlyWith = IncubatorConcurrentModule.class)
+final class Target_jdk_incubator_concurrent_ScopedValue_Cache {
+    @Alias
+    static native void invalidate(int toClearBits);
+}
diff --git a/...acle.svm.core/src/com/oracle/svm/core/thread/Target_jdk_internal_vm_ThreadContainers.java b/...acle.svm.core/src/com/oracle/svm/core/thread/Target_jdk_internal_vm_ThreadContainers.java
@@ -41,8 +41,10 @@
 @TargetClass(className = "jdk.internal.vm.ThreadContainers", onlyWith = JDK19OrLater.class)
 @SuppressWarnings("unused")
 final class Target_jdk_internal_vm_ThreadContainers {
+    // Checkstyle: stop
     @Delete static Set<WeakReference<Target_jdk_internal_vm_ThreadContainer>> CONTAINER_REGISTRY;
     @Delete static ReferenceQueue<Object> QUEUE;
+    // Checkstyle: resume
 
     @Substitute
     public static Object registerContainer(Target_jdk_internal_vm_ThreadContainer container) {