Graal: [native-image] memory corruption in byte arrays obtained via getPrimitiveArrayCritical
Rendering a jpeg on linux using JavaFX results in a crash caused by memory corruption.
The function where the corruption happens is this one:
https://github.com/openjdk/jfx/blob/master/modules/javafx.graphics/src/main/native-iio/jpegloader.c#L1594,
(note: the barray parameter is passed via 0x4, while running this via hotspot just passes the address)
This function has nested calls to (*env)->GetPrimitiveArrayCritical.
Commenting line 1668
jbyte *body = (*env)->GetPrimitiveArrayCritical(env, barray, &iscopy);
and its corresponding Release method prevents the crash (but obviously data can't be copied into the byte[] in that case, resulting in a black picture.
johanvos
All 3 comments
replacing these 2 lines
jboolean iscopy = FALSE;
jbyte *body = (*env)->GetPrimitiveArrayCritical(env, barray, &iscopy);
with
jbyte *body = (*env)->GetPrimitiveArrayCritical(env, barray, NULL);
fixes the issue.
Looking at com/oracle/svm/jni/functions/JNIFunctions.java
the signature is correctly defined in the comments:
// jvoid * GetPrimitiveArrayCritical(JNIEnv *env, jarray array, jboolean *isCopy);
but the Java method has a CIntPointer (where a jboolean is 8 bits)
maybe the write is modififying the other 24 bits as well?
static WordPointer GetPrimitiveArrayCritical(JNIEnvironment env, JNIObjectHandle harray, CIntPointer isCopy) {
...
if (isCopy.isNonNull()) {
isCopy.write((byte) 0);
}
...
}
Thanks for your report! Indeed the pointer incorrectly uses a CIntPointer. @mukel has a fix that is in the process of merging.
peter-hofer
on 30 Jan 2020
Fixed in f237c4296bae102cd6983ab4f4e0b2f465712a4f
mukel
on 31 Jan 2020
Related issues
oroppas
路
3Comments
himanshumps
路
3Comments
schneidersteve
路
3Comments
guaporocco
路
3Comments
sdeleuze
路
3Comments
Most helpful comment
Thanks for your report! Indeed the pointer incorrectly uses a
CIntPointer. @mukel has a fix that is in the process of merging.