Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / art / ad9173df1f1707fb1f72b19b8b8a6902738cb410^! / . / runtime / openjdkjvmti / ti_stack.cc
commitad9173df1f1707fb1f72b19b8b8a6902738cb410[log] [tgz]
authorAndreas Gampe <agampe@google.com>Thu Jun 22 16:33:08 2017 -0700
committerAndreas Gampe <agampe@google.com>Thu Jun 22 16:33:08 2017 -0700
treed97e1ca7dff4b431cbd752e5cda34258a046ee7a
parenta08c9bbe02073d34358c15e3339fa47ed49c39fc [diff] [blame]
ART: Fix use-after-free

Fix use-after-free because of vector resize.

Bug: 62353392
Test: m test-art-host
Test: SANITIZE_HOST=address art/test/testrunner/testrunner.py -b --host -t 911
Change-Id: If6d925cb73d9e926ee90714e8682530e1990edf4

diff --git a/runtime/openjdkjvmti/ti_stack.cc b/runtime/openjdkjvmti/ti_stack.cc
index ee89372..a17226c 100644
--- a/runtime/openjdkjvmti/ti_stack.cc
+++ b/runtime/openjdkjvmti/ti_stack.cc

@@ -359,8 +359,8 @@
           self, thread->GetPeerFromOtherThread());
       thread_peers.push_back(peer);
 
-      frames.emplace_back();
-      return &frames.back();
+      frames.emplace_back(new std::vector<jvmtiFrameInfo>());
+      return frames.back().get();
     }
 
     art::Mutex mutex;
@@ -371,7 +371,7 @@
     // "thread_peers" contains global references to their peers.
     std::vector<jthread> thread_peers;
 
-    std::vector<std::vector<jvmtiFrameInfo>> frames;
+    std::vector<std::unique_ptr<std::vector<jvmtiFrameInfo>>> frames;
   };
 
   AllStackTracesData data;
@@ -396,7 +396,7 @@
     jvmtiStackInfo& stack_info = stack_info_array.get()[index];
     memset(&stack_info, 0, sizeof(jvmtiStackInfo));
 
-    const std::vector<jvmtiFrameInfo>& thread_frames = data.frames[index];
+    const std::vector<jvmtiFrameInfo>& thread_frames = *data.frames[index].get();
 
     // For the time being, set the thread to null. We'll fix it up in the second stage.
     stack_info.thread = nullptr;
@@ -503,8 +503,8 @@
           threads.push_back(thread);
           thread_list_indices.push_back(index);
 
-          frames.emplace_back();
-          return &frames.back();
+          frames.emplace_back(new std::vector<jvmtiFrameInfo>());
+          return frames.back().get();
         }
       }
       return nullptr;
@@ -521,7 +521,7 @@
     std::vector<art::Thread*> threads;
     std::vector<size_t> thread_list_indices;
 
-    std::vector<std::vector<jvmtiFrameInfo>> frames;
+    std::vector<std::unique_ptr<std::vector<jvmtiFrameInfo>>> frames;
   };
 
   SelectStackTracesData data;
@@ -558,7 +558,7 @@
     memset(&stack_info, 0, sizeof(jvmtiStackInfo));
 
     art::Thread* self = data.threads[index];
-    const std::vector<jvmtiFrameInfo>& thread_frames = data.frames[index];
+    const std::vector<jvmtiFrameInfo>& thread_frames = *data.frames[index].get();
 
     // For the time being, set the thread to null. We don't have good ScopedLocalRef
     // infrastructure.